[PULL V2 0/3] PVRDMA queue

[PULL V2 0/3] PVRDMA queue

[Marcel Apfelbaum]

The following changes since commit 9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1:

  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2021-07-02 11:46:32 +0100)

are available in the Git repository at:

  https://github.com/marcel-apf/qemu tags/pvrdma-04-07-2021-v2

for you to fetch changes up to 66ae37d8cc313f89272e711174a846a229bcdbd3:

  pvrdma: Fix the ring init error flow (CVE-2021-3608) (2021-07-04 22:47:51 +0300)

----------------------------------------------------------------
PVRDMA queue

Several CVE fixes for the PVRDMA device.

----------------------------------------------------------------

Marcel Apfelbaum (3):
  hw/rdma: Fix possible mremap overflow in the pvrdma device
    (CVE-2021-3582)
  pvrdma: Ensure correct input on ring init (CVE-2021-3607)
  pvrdma: Fix the ring init error flow (CVE-2021-3608)

 hw/rdma/vmw/pvrdma_cmd.c      | 7 +++++++
 hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
 hw/rdma/vmw/pvrdma_main.c     | 5 +++++
 3 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.17.2

[PULL V2 1/3] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

[Marcel Apfelbaum]

From: Marcel Apfelbaum <marcel@redhat.com>

Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.

Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 v1 -> v2: Fix compilation issue on 32-bit hosts

 hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f59879e257..da7ddfa548 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
         return NULL;
     }
 
+    length = ROUND_UP(length, TARGET_PAGE_SIZE);
+    if (nchunks * TARGET_PAGE_SIZE != length) {
+        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+                          (unsigned long)length);
+        return NULL;
+    }
+
     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory");
-- 
2.17.2

[PULL V2 2/3] pvrdma: Ensure correct input on ring init (CVE-2021-3607)

[Marcel Apfelbaum]

Check the guest passed a non zero page count
for pvrdma device ring buffers.

Fixes: CVE-2021-3607
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/vmw/pvrdma_main.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fc..7c0c3551a8 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
     uint64_t *dir, *tbl;
     int rc = 0;
 
+    if (!num_pages) {
+        rdma_error_report("Ring pages count must be strictly positive");
+        return -EINVAL;
+    }
+
     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory (ring %s)", name);
-- 
2.17.2

[PULL V2 3/3] pvrdma: Fix the ring init error flow (CVE-2021-3608)

[Marcel Apfelbaum]

Do not unmap uninitialized dma addresses.

Fixes: CVE-2021-3608
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210630115246.2178219-1-marcel@redhat.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
---
 hw/rdma/vmw/pvrdma_dev_ring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/rdma/vmw/pvrdma_dev_ring.c b/hw/rdma/vmw/pvrdma_dev_ring.c
index 074ac59b84..42130667a7 100644
--- a/hw/rdma/vmw/pvrdma_dev_ring.c
+++ b/hw/rdma/vmw/pvrdma_dev_ring.c
@@ -41,7 +41,7 @@ int pvrdma_ring_init(PvrdmaRing *ring, const char *name, PCIDevice *dev,
     qatomic_set(&ring->ring_state->cons_head, 0);
     */
     ring->npages = npages;
-    ring->pages = g_malloc(npages * sizeof(void *));
+    ring->pages = g_malloc0(npages * sizeof(void *));

     for (i = 0; i < npages; i++) {
         if (!tbl[i]) {
-- 
2.17.2

Re: [PULL V2 0/3] PVRDMA queue

[Peter Maydell]

On Sun, 4 Jul 2021 at 21:52, Marcel Apfelbaum
<marcel.apfelbaum@gmail.com> wrote:
>
> The following changes since commit 9c2647f75004c4f7d64c9c0ec55f8c6f0739a8b1:
>
>   Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2021-07-02 11:46:32 +0100)
>
> are available in the Git repository at:
>
>   https://github.com/marcel-apf/qemu tags/pvrdma-04-07-2021-v2
>
> for you to fetch changes up to 66ae37d8cc313f89272e711174a846a229bcdbd3:
>
>   pvrdma: Fix the ring init error flow (CVE-2021-3608) (2021-07-04 22:47:51 +0300)
>
> ----------------------------------------------------------------
> PVRDMA queue
>
> Several CVE fixes for the PVRDMA device.
>



Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/6.1
for any user-visible changes.

-- PMM