Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest driver

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Philippe Mathieu-Daudé" <philippe.mathieu.daude@gmail.com>
To: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
	Yuval Shaia <yuval.shaia.ml@gmail.com>
Cc: wxhusst@gmail.com, Peter Maydell <peter.maydell@linaro.org>,
	Mauro Matteo Cascella <mcascell@redhat.com>,
	qemu devel list <qemu-devel@nongnu.org>
Subject: Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest driver
Date: Tue, 29 Mar 2022 12:10:59 +0200	[thread overview]
Message-ID: <11dcf949-22aa-b94e-143d-88093ee0b67d@gmail.com> (raw)
In-Reply-To: <CAC_L=vXa2O_YVACvwPPkNyy7agQ5aJnBHV70MSN3XZfD+zremw@mail.gmail.com>

On 22/3/22 13:27, Marcel Apfelbaum wrote:
> Hi Yuval
> 
> On Mon, Mar 21, 2022 at 2:11 PM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>>
>> Guest driver might execute HW commands when shared buffers are not yet
>> allocated.
>> This might happen on purpose (malicious guest) or because some other
>> guest/host address mapping.
>> We need to protect againts such case.
>>

Fixes: CVE-2022-1050

>> Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
>> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
>> ---
>>   hw/rdma/vmw/pvrdma_cmd.c  | 6 ++++++
>>   hw/rdma/vmw/pvrdma_main.c | 9 +++++----
>>   2 files changed, 11 insertions(+), 4 deletions(-)
>>
>> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>> index da7ddfa548..89db963c46 100644
>> --- a/hw/rdma/vmw/pvrdma_cmd.c
>> +++ b/hw/rdma/vmw/pvrdma_cmd.c
>> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>>
>>       dsr_info = &dev->dsr_info;
>>
>> +    if (!dsr_info->dsr) {
>> +            /* Buggy or malicious guest driver */
>> +            rdma_error_report("Exec command without dsr, req or rsp buffers");
>> +            goto out;
>> +    }
>> +
>>       if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
>>                         sizeof(struct cmd_handler)) {
>>           rdma_error_report("Unsupported command");
>> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
>> index 91206dbb8e..aae382af59 100644
>> --- a/hw/rdma/vmw/pvrdma_main.c
>> +++ b/hw/rdma/vmw/pvrdma_main.c
>> @@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
>>       free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
>>
>>       rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
>> -                         sizeof(union pvrdma_cmd_req));
>> +                       sizeof(union pvrdma_cmd_req));
>>
>>       rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
>> -                         sizeof(union pvrdma_cmd_resp));
>> +                       sizeof(union pvrdma_cmd_resp));
>>
>>       rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
>> -                         sizeof(struct pvrdma_device_shared_region));
>> +                       sizeof(struct pvrdma_device_shared_region));
>>
> 
> Nit: the above changes are not related to the patch, maybe drop them?

Yes please.

> 
> Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
> 
> Thanks,
> Marcel
> 
>>       dev->dsr_info.dsr = NULL;
>>   }
>> @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
>>   {
>>       struct pvrdma_device_shared_region *dsr;
>>
>> -    if (dev->dsr_info.dsr == NULL) {
>> +    if (!dev->dsr_info.dsr) {
>> +        /* Buggy or malicious guest driver */
>>           rdma_error_report("Can't initialized DSR");
>>           return;
>>       }
>> --
>> 2.20.1
>>
>

     prev parent reply	other threads:[~2022-03-29 10:13 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-21 13:11 [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver Yuval Shaia
2022-03-22 12:27 ` Marcel Apfelbaum
2022-03-29 10:10   ` Philippe Mathieu-Daudé [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=11dcf949-22aa-b94e-143d-88093ee0b67d@gmail.com \
    --to=philippe.mathieu.daude@gmail.com \
    --cc=marcel.apfelbaum@gmail.com \
    --cc=mcascell@redhat.com \
    --cc=peter.maydell@linaro.org \
    --cc=qemu-devel@nongnu.org \
    --cc=wxhusst@gmail.com \
    --cc=yuval.shaia.ml@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).