Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame^] | 1 | From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 |
| 2 | From: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| 3 | Date: Tue, 12 Apr 2022 11:01:51 +0100 |
| 4 | Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest |
| 5 | driver |
| 6 | |
| 7 | Guest driver might execute HW commands when shared buffers are not yet |
| 8 | allocated. |
| 9 | This might happen on purpose (malicious guest) or because some other |
| 10 | guest/host address mapping. |
| 11 | We need to protect againts such case. |
| 12 | |
| 13 | Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> |
| 14 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| 15 | |
| 16 | CVE: CVE-2022-1050 |
| 17 | Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] |
| 18 | |
| 19 | --- |
| 20 | hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ |
| 21 | hw/rdma/vmw/pvrdma_main.c | 3 ++- |
| 22 | 2 files changed, 8 insertions(+), 1 deletion(-) |
| 23 | |
| 24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c |
| 25 | index da7ddfa54..89db963c4 100644 |
| 26 | --- a/hw/rdma/vmw/pvrdma_cmd.c |
| 27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c |
| 28 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) |
| 29 | |
| 30 | dsr_info = &dev->dsr_info; |
| 31 | |
| 32 | + if (!dsr_info->dsr) { |
| 33 | + /* Buggy or malicious guest driver */ |
| 34 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); |
| 35 | + goto out; |
| 36 | + } |
| 37 | + |
| 38 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / |
| 39 | sizeof(struct cmd_handler)) { |
| 40 | rdma_error_report("Unsupported command"); |
| 41 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c |
| 42 | index 91206dbb8..0b7d908e2 100644 |
| 43 | --- a/hw/rdma/vmw/pvrdma_main.c |
| 44 | +++ b/hw/rdma/vmw/pvrdma_main.c |
| 45 | @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) |
| 46 | { |
| 47 | struct pvrdma_device_shared_region *dsr; |
| 48 | |
| 49 | - if (dev->dsr_info.dsr == NULL) { |
| 50 | + if (!dev->dsr_info.dsr) { |
| 51 | + /* Buggy or malicious guest driver */ |
| 52 | rdma_error_report("Can't initialized DSR"); |
| 53 | return; |
| 54 | } |
| 55 | -- |
| 56 | 2.30.2 |
| 57 | |