1. Patchew
  2. QEMU
  3. View series

[PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)

Marcel Apfelbaum posted 1 patch 2 years, 10 months ago
Test checkpatch passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20210630114634.2168872-1-marcel@redhat.com
Maintainers: Yuval Shaia <yuval.shaia.ml@gmail.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
hw/rdma/vmw/pvrdma_main.c | 5 +++++
1 file changed, 5 insertions(+)
[PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
Posted by Marcel Apfelbaum 2 years, 10 months ago 
Check the guest passed a non zero page count
for pvrdma device ring buffers.

Fixes: CVE-2021-3607
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
---
 hw/rdma/vmw/pvrdma_main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fc..7c0c3551a8 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
     uint64_t *dir, *tbl;
     int rc = 0;
 
+    if (!num_pages) {
+        rdma_error_report("Ring pages count must be strictly positive");
+        return -EINVAL;
+    }
+
     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory (ring %s)", name);
-- 
2.31.1
Re: [PATCH] pvrdma: Ensure correct input on ring init (CVE-2021-3607)
Posted by Yuval Shaia 2 years, 10 months ago 
On Wed, 30 Jun 2021 at 14:46, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
wrote:

> Check the guest passed a non zero page count
> for pvrdma device ring buffers.
>
> Fixes: CVE-2021-3607
> Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
> ---
>  hw/rdma/vmw/pvrdma_main.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
> index 84ae8024fc..7c0c3551a8 100644
> --- a/hw/rdma/vmw/pvrdma_main.c
> +++ b/hw/rdma/vmw/pvrdma_main.c
> @@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring,
> PvrdmaRingState **ring_state,
>      uint64_t *dir, *tbl;
>      int rc = 0;
>
> +    if (!num_pages) {
> +        rdma_error_report("Ring pages count must be strictly positive");
> +        return -EINVAL;
> +    }
> +
>

Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>


>      dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
>      if (!dir) {
>          rdma_error_report("Failed to map to page directory (ring %s)",
> name);
> --
> 2.31.1
>
>

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.