From: Laurent Vivier <laurent@vivier.eu>
To: qemu-devel@nongnu.org
Cc: qemu-trivial@nongnu.org, Yuval Shaia <yuval.shaia.ml@gmail.com>,
Raven <wxhusst@gmail.com>, Laurent Vivier <laurent@vivier.eu>
Subject: [PULL 12/15] hw/pvrdma: Protect against buggy or malicious guest driver
Date: Wed, 18 Jan 2023 08:52:31 +0100 [thread overview]
Message-ID: <20230118075234.2322131-13-laurent@vivier.eu> (raw)
In-Reply-To: <20230118075234.2322131-1-laurent@vivier.eu>
From: Yuval Shaia <yuval.shaia.ml@gmail.com>
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 1eca6328c924..c6ed02598211 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -776,6 +776,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
--
2.38.1
next prev parent reply other threads:[~2023-01-18 7:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-18 7:52 [PULL 00/15] Trivial branch for 8.0 patches Laurent Vivier
2023-01-18 7:52 ` [PULL 01/15] Call qemu_socketpair() instead of socketpair() when possible Laurent Vivier
2023-01-18 7:52 ` [PULL 02/15] hw/display: Move omap_lcdc.c out of target-specific source set Laurent Vivier
2023-01-18 7:52 ` [PULL 03/15] hw/intc: Move some files out of the " Laurent Vivier
2023-01-18 7:52 ` [PULL 04/15] hw/tpm: Move tpm_ppi.c out of " Laurent Vivier
2023-01-18 7:52 ` [PULL 05/15] hw/arm: Move various units to softmmu_ss[] Laurent Vivier
2023-01-18 7:52 ` [PULL 06/15] hw/cpu: Mark arm11 and realview mpcore as target-independent code Laurent Vivier
2023-01-18 7:52 ` [PULL 07/15] hw/intc: Mark more interrupt-controller files as target independent Laurent Vivier
2023-01-18 7:52 ` [PULL 08/15] hw/usb: Mark the XLNX_VERSAL-related files as target-independent Laurent Vivier
2023-01-18 7:52 ` [PULL 09/15] tests/qtest/test-hmp: Improve the check for verbose mode Laurent Vivier
2023-01-18 7:52 ` [PULL 10/15] hw/i386/pc: Remove unused 'owner' argument from pc_pci_as_mapping_init Laurent Vivier
2023-01-18 7:52 ` [PULL 11/15] ccid-card-emulated: fix cast warning/error Laurent Vivier
2023-01-18 7:52 ` Laurent Vivier [this message]
2023-01-18 7:52 ` [PULL 13/15] hw/cxl/cxl-cdat.c: spelling: missmatch Laurent Vivier
2023-01-18 7:52 ` [PULL 14/15] hw/cxl/cxl-host: Fix an error message typo Laurent Vivier
2023-01-18 7:52 ` [PULL 15/15] hw/ssi/sifive_spi.c: spelling: reigster Laurent Vivier
2023-01-19 18:57 ` [PULL 00/15] Trivial branch for 8.0 patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230118075234.2322131-13-laurent@vivier.eu \
--to=laurent@vivier.eu \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=wxhusst@gmail.com \
--cc=yuval.shaia.ml@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).