1 files changed, 57 insertions, 0 deletions

diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
new file mode 100644
index 0000000000..826d42fc20
--- /dev/null
+++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
@@ -0,0 +1,57 @@
+From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Tue, 12 Apr 2022 11:01:51 +0100
+Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest
+ driver
+
+Guest driver might execute HW commands when shared buffers are not yet
+allocated.
+This might happen on purpose (malicious guest) or because some other
+guest/host address mapping.
+We need to protect againts such case.
+
+Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+
+CVE: CVE-2022-1050
+Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]
+
+---
+ hw/rdma/vmw/pvrdma_cmd.c  | 6 ++++++
+ hw/rdma/vmw/pvrdma_main.c | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index da7ddfa54..89db963c4 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+ 
+     dsr_info = &dev->dsr_info;
+ 
++    if (!dsr_info->dsr) {
++            /* Buggy or malicious guest driver */
++            rdma_error_report("Exec command without dsr, req or rsp buffers");
++            goto out;
++    }
++
+     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+                       sizeof(struct cmd_handler)) {
+         rdma_error_report("Unsupported command");
+diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
+index 91206dbb8..0b7d908e2 100644
+--- a/hw/rdma/vmw/pvrdma_main.c
++++ b/hw/rdma/vmw/pvrdma_main.c
+@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
+ {
+     struct pvrdma_device_shared_region *dsr;
+ 
+-    if (dev->dsr_info.dsr == NULL) {
++    if (!dev->dsr_info.dsr) {
++        /* Buggy or malicious guest driver */
+         rdma_error_report("Can't initialized DSR");
+         return;
+     }
+-- 
+2.30.2
+