hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ 1 file changed, 6 insertions(+)
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
v1 -> v2:
* Commit message changes
v2 -> v3:
* Exclude cosmetic changes
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
--
2.20.1
Ping? This is from April this year, half a year ago. Can this be applied or? Marcel said it should wait a week or two, I think that's been done already.. ;) Thanks, /mjt 03.04.2022 12:52, Yuval Shaia wrote: > Guest driver might execute HW commands when shared buffers are not yet > allocated. > This could happen on purpose (malicious guest) or because of some other > guest/host address mapping error. > We need to protect againts such case. > > Fixes: CVE-2022-1050 > > Reported-by: Raven <wxhusst@gmail.com> > Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> > --- > v1 -> v2: > * Commit message changes > v2 -> v3: > * Exclude cosmetic changes > --- > hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index da7ddfa548..89db963c46 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > > dsr_info = &dev->dsr_info; > > + if (!dsr_info->dsr) { > + /* Buggy or malicious guest driver */ > + rdma_error_report("Exec command without dsr, req or rsp buffers"); > + goto out; > + } > + > if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / > sizeof(struct cmd_handler)) { > rdma_error_report("Unsupported command");
Hi Yuval, Thank you for the changes. On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote: > > Guest driver might execute HW commands when shared buffers are not yet > allocated. > This could happen on purpose (malicious guest) or because of some other > guest/host address mapping error. > We need to protect againts such case. > > Fixes: CVE-2022-1050 > > Reported-by: Raven <wxhusst@gmail.com> > Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> > --- > v1 -> v2: > * Commit message changes > v2 -> v3: > * Exclude cosmetic changes > --- > hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index da7ddfa548..89db963c46 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > > dsr_info = &dev->dsr_info; > > + if (!dsr_info->dsr) { > + /* Buggy or malicious guest driver */ > + rdma_error_report("Exec command without dsr, req or rsp buffers"); > + goto out; > + } > + > if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / > sizeof(struct cmd_handler)) { > rdma_error_report("Unsupported command"); > -- > 2.20.1 > cc-ing Peter and Philippe for a question: Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will have to wait a week or so. Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com> Thanks, Marcel
© 2016 - 2024 Red Hat, Inc.