diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 0000000000..826d42fc20 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
3 | Date: Tue, 12 Apr 2022 11:01:51 +0100 | ||
4 | Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest | ||
5 | driver | ||
6 | |||
7 | Guest driver might execute HW commands when shared buffers are not yet | ||
8 | allocated. | ||
9 | This might happen on purpose (malicious guest) or because some other | ||
10 | guest/host address mapping. | ||
11 | We need to protect againts such case. | ||
12 | |||
13 | Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> | ||
14 | Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> | ||
15 | |||
16 | CVE: CVE-2022-1050 | ||
17 | Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] | ||
18 | |||
19 | --- | ||
20 | hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ | ||
21 | hw/rdma/vmw/pvrdma_main.c | 3 ++- | ||
22 | 2 files changed, 8 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c | ||
25 | index da7ddfa54..89db963c4 100644 | ||
26 | --- a/hw/rdma/vmw/pvrdma_cmd.c | ||
27 | +++ b/hw/rdma/vmw/pvrdma_cmd.c | ||
28 | @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) | ||
29 | |||
30 | dsr_info = &dev->dsr_info; | ||
31 | |||
32 | + if (!dsr_info->dsr) { | ||
33 | + /* Buggy or malicious guest driver */ | ||
34 | + rdma_error_report("Exec command without dsr, req or rsp buffers"); | ||
35 | + goto out; | ||
36 | + } | ||
37 | + | ||
38 | if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / | ||
39 | sizeof(struct cmd_handler)) { | ||
40 | rdma_error_report("Unsupported command"); | ||
41 | diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c | ||
42 | index 91206dbb8..0b7d908e2 100644 | ||
43 | --- a/hw/rdma/vmw/pvrdma_main.c | ||
44 | +++ b/hw/rdma/vmw/pvrdma_main.c | ||
45 | @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) | ||
46 | { | ||
47 | struct pvrdma_device_shared_region *dsr; | ||
48 | |||
49 | - if (dev->dsr_info.dsr == NULL) { | ||
50 | + if (!dev->dsr_info.dsr) { | ||
51 | + /* Buggy or malicious guest driver */ | ||
52 | rdma_error_report("Can't initialized DSR"); | ||
53 | return; | ||
54 | } | ||
55 | -- | ||
56 | 2.30.2 | ||
57 | |||