Blame - poky/meta/recipes-devtools/qemu/qemu/pvrdma.patch - openbmc/openbmc

blob: 7b0335b1dc940f5e2f8f6d2e6265b52bab51fca1 [file] [log] [blame]

Patrick Williams	03907ee	2022-05-01 06:28:52 -0500	[diff] [blame]	1	hw/pvrdma: Protect against buggy or malicious guest driver
				2
				3	Guest driver might execute HW commands when shared buffers are not yet
				4	allocated.
				5	This might happen on purpose (malicious guest) or because some other
				6	guest/host address mapping.
				7	We need to protect againts such case.
				8
				9	Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
				10	Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
				11
				12	CVE: CVE-2022-1050
				13	Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]
				14
				15	Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
				16	===================================================================
				17	--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c
				18	+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
				19	@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
				20
				21	dsr_info = &dev->dsr_info;
				22
				23	+ if (!dsr_info->dsr) {
				24	+ /* Buggy or malicious guest driver */
				25	+ rdma_error_report("Exec command without dsr, req or rsp buffers");
				26	+ goto out;
				27	+ }
				28	+
				29	if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
				30	sizeof(struct cmd_handler)) {
				31	rdma_error_report("Unsupported command");
				32	Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
				33	===================================================================
				34	--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c
				35	+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
				36	@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev
				37	{
				38	struct pvrdma_device_shared_region *dsr;
				39
				40	- if (dev->dsr_info.dsr == NULL) {
				41	+ if (!dev->dsr_info.dsr) {
				42	+ /* Buggy or malicious guest driver */
				43	rdma_error_report("Can't initialized DSR");
				44	return;
				45	}