Patrick Williams | 03907ee | 2022-05-01 06:28:52 -0500 | [diff] [blame] | 1 | hw/pvrdma: Protect against buggy or malicious guest driver |
| 2 | |
| 3 | Guest driver might execute HW commands when shared buffers are not yet |
| 4 | allocated. |
| 5 | This might happen on purpose (malicious guest) or because some other |
| 6 | guest/host address mapping. |
| 7 | We need to protect againts such case. |
| 8 | |
| 9 | Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> |
| 10 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> |
| 11 | |
| 12 | CVE: CVE-2022-1050 |
| 13 | Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] |
| 14 | |
| 15 | Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c |
| 16 | =================================================================== |
| 17 | --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c |
| 18 | +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c |
| 19 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) |
| 20 | |
| 21 | dsr_info = &dev->dsr_info; |
| 22 | |
| 23 | + if (!dsr_info->dsr) { |
| 24 | + /* Buggy or malicious guest driver */ |
| 25 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); |
| 26 | + goto out; |
| 27 | + } |
| 28 | + |
| 29 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / |
| 30 | sizeof(struct cmd_handler)) { |
| 31 | rdma_error_report("Unsupported command"); |
| 32 | Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c |
| 33 | =================================================================== |
| 34 | --- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c |
| 35 | +++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c |
| 36 | @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev |
| 37 | { |
| 38 | struct pvrdma_device_shared_region *dsr; |
| 39 | |
| 40 | - if (dev->dsr_info.dsr == NULL) { |
| 41 | + if (!dev->dsr_info.dsr) { |
| 42 | + /* Buggy or malicious guest driver */ |
| 43 | rdma_error_report("Can't initialized DSR"); |
| 44 | return; |
| 45 | } |