diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch new file mode 100644 index 0000000000..826d42fc20 --- /dev/null +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch @@ -0,0 +1,57 @@ +From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 +From: Yuval Shaia <yuval.shaia.ml@gmail.com> +Date: Tue, 12 Apr 2022 11:01:51 +0100 +Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest + driver + +Guest driver might execute HW commands when shared buffers are not yet +allocated. +This might happen on purpose (malicious guest) or because some other +guest/host address mapping. +We need to protect againts such case. + +Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> + +CVE: CVE-2022-1050 +Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] + +--- + hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ + hw/rdma/vmw/pvrdma_main.c | 3 ++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c +index da7ddfa54..89db963c4 100644 +--- a/hw/rdma/vmw/pvrdma_cmd.c ++++ b/hw/rdma/vmw/pvrdma_cmd.c +@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) + + dsr_info = &dev->dsr_info; + ++ if (!dsr_info->dsr) { ++ /* Buggy or malicious guest driver */ ++ rdma_error_report("Exec command without dsr, req or rsp buffers"); ++ goto out; ++ } ++ + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / + sizeof(struct cmd_handler)) { + rdma_error_report("Unsupported command"); +diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c +index 91206dbb8..0b7d908e2 100644 +--- a/hw/rdma/vmw/pvrdma_main.c ++++ b/hw/rdma/vmw/pvrdma_main.c +@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) + { + struct pvrdma_device_shared_region *dsr; + +- if (dev->dsr_info.dsr == NULL) { ++ if (!dev->dsr_info.dsr) { ++ /* Buggy or malicious guest driver */ + rdma_error_report("Can't initialized DSR"); + return; + } +-- +2.30.2 + |