diff options
author | Ross Burton <ross.burton@arm.com> | 2022-09-22 13:39:53 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-22 21:39:21 +0100 |
commit | a4b9310146957007275493a29ba3dd546063781b (patch) | |
tree | 88dff51bc62aa5a207886fed4d275f20444b4511 /meta/recipes-devtools/qemu/qemu | |
parent | 14eea4a99511743e8e23a3ed6e189a2940d8f351 (diff) | |
download | poky-a4b9310146957007275493a29ba3dd546063781b.tar.gz |
qemu: re-add the fix for CVE-2022-1050
This patch was accidentally dropped in the 7.1.0 upgrade, so bring it
back.
(From OE-Core rev: 09bcf6d2a661a3c39fdd13a760f6c26dd79abb69)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 0000000000..810c74fabd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | CVE: CVE-2022-1050 | ||
2 | Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] | ||
3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
4 | |||
5 | From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 | ||
6 | From: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
7 | Date: Sun, 3 Apr 2022 12:52:34 +0300 | ||
8 | Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver | ||
9 | |||
10 | Guest driver might execute HW commands when shared buffers are not yet | ||
11 | allocated. | ||
12 | This could happen on purpose (malicious guest) or because of some other | ||
13 | guest/host address mapping error. | ||
14 | We need to protect againts such case. | ||
15 | |||
16 | Fixes: CVE-2022-1050 | ||
17 | |||
18 | Reported-by: Raven <wxhusst@gmail.com> | ||
19 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
20 | --- | ||
21 | hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ | ||
22 | 1 file changed, 6 insertions(+) | ||
23 | |||
24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
25 | index da7ddfa548..89db963c46 100644 | ||
26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) | ||
29 | |||
30 | dsr_info = &dev->dsr_info; | ||
31 | |||
32 | + if (!dsr_info->dsr) { | ||
33 | + /* Buggy or malicious guest driver */ | ||
34 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); | ||
35 | + goto out; | ||
36 | + } | ||
37 | + | ||
38 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / | ||
39 | sizeof(struct cmd_handler)) { | ||
40 | rdma_error_report("Unsupported command"); | ||
41 | -- | ||
42 | 2.34.1 | ||
43 | |||