diff options
| author | Ross Burton <ross.burton@arm.com> | 2022-09-22 13:39:53 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-22 21:39:21 +0100 |
| commit | a4b9310146957007275493a29ba3dd546063781b (patch) | |
| tree | 88dff51bc62aa5a207886fed4d275f20444b4511 /meta/recipes-devtools/qemu/qemu | |
| parent | 14eea4a99511743e8e23a3ed6e189a2940d8f351 (diff) | |
| download | poky-a4b9310146957007275493a29ba3dd546063781b.tar.gz | |
qemu: re-add the fix for CVE-2022-1050
This patch was accidentally dropped in the 7.1.0 upgrade, so bring it
back.
(From OE-Core rev: 09bcf6d2a661a3c39fdd13a760f6c26dd79abb69)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu')
| -rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 0000000000..810c74fabd --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | |||
| @@ -0,0 +1,43 @@ | |||
| 1 | CVE: CVE-2022-1050 | ||
| 2 | Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] | ||
| 3 | Signed-off-by: Ross Burton <ross.burton@arm.com> | ||
| 4 | |||
| 5 | From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 | ||
| 6 | From: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
| 7 | Date: Sun, 3 Apr 2022 12:52:34 +0300 | ||
| 8 | Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver | ||
| 9 | |||
| 10 | Guest driver might execute HW commands when shared buffers are not yet | ||
| 11 | allocated. | ||
| 12 | This could happen on purpose (malicious guest) or because of some other | ||
| 13 | guest/host address mapping error. | ||
| 14 | We need to protect againts such case. | ||
| 15 | |||
| 16 | Fixes: CVE-2022-1050 | ||
| 17 | |||
| 18 | Reported-by: Raven <wxhusst@gmail.com> | ||
| 19 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
| 20 | --- | ||
| 21 | hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ | ||
| 22 | 1 file changed, 6 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
| 25 | index da7ddfa548..89db963c46 100644 | ||
| 26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
| 27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
| 28 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) | ||
| 29 | |||
| 30 | dsr_info = &dev->dsr_info; | ||
| 31 | |||
| 32 | + if (!dsr_info->dsr) { | ||
| 33 | + /* Buggy or malicious guest driver */ | ||
| 34 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); | ||
| 35 | + goto out; | ||
| 36 | + } | ||
| 37 | + | ||
| 38 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / | ||
| 39 | sizeof(struct cmd_handler)) { | ||
| 40 | rdma_error_report("Unsupported command"); | ||
| 41 | -- | ||
| 42 | 2.34.1 | ||
| 43 | |||