diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 59 |
1 files changed, 21 insertions, 38 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch index 826d42fc20..6caf35b634 100644 --- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch +++ b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch @@ -1,33 +1,33 @@ -From 52c38fa9f3a790a7c2805e7d8cce3ea9262d6ae2 Mon Sep 17 00:00:00 2001 +CVE: CVE-2022-1050 +Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] +Signed-off-by: Ross Burton <ross.burton@arm.com> + +From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 From: Yuval Shaia <yuval.shaia.ml@gmail.com> -Date: Tue, 12 Apr 2022 11:01:51 +0100 -Subject: [PATCH 10/12] hw/pvrdma: Protect against buggy or malicious guest - driver +Date: Sun, 3 Apr 2022 12:52:34 +0300 +Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver Guest driver might execute HW commands when shared buffers are not yet allocated. -This might happen on purpose (malicious guest) or because some other -guest/host address mapping. +This could happen on purpose (malicious guest) or because of some other +guest/host address mapping error. We need to protect againts such case. -Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> -Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> - -CVE: CVE-2022-1050 -Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] +Fixes: CVE-2022-1050 +Reported-by: Raven <wxhusst@gmail.com> +Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> --- - hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ - hw/rdma/vmw/pvrdma_main.c | 3 ++- - 2 files changed, 8 insertions(+), 1 deletion(-) + hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c -index da7ddfa54..89db963c4 100644 ---- a/hw/rdma/vmw/pvrdma_cmd.c -+++ b/hw/rdma/vmw/pvrdma_cmd.c -@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) - - dsr_info = &dev->dsr_info; +Index: qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c +=================================================================== +--- qemu-8.0.0.orig/hw/rdma/vmw/pvrdma_cmd.c ++++ qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c +@@ -782,6 +782,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) + goto out; + } + if (!dsr_info->dsr) { + /* Buggy or malicious guest driver */ @@ -38,20 +38,3 @@ index da7ddfa54..89db963c4 100644 if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); -diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c -index 91206dbb8..0b7d908e2 100644 ---- a/hw/rdma/vmw/pvrdma_main.c -+++ b/hw/rdma/vmw/pvrdma_main.c -@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev) - { - struct pvrdma_device_shared_region *dsr; - -- if (dev->dsr_info.dsr == NULL) { -+ if (!dev->dsr_info.dsr) { -+ /* Buggy or malicious guest driver */ - rdma_error_report("Can't initialized DSR"); - return; - } --- -2.30.2 - |