* [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
@ 2022-03-21 13:11 Yuval Shaia
2022-03-22 12:27 ` Marcel Apfelbaum
0 siblings, 1 reply; 4+ messages in thread
From: Yuval Shaia @ 2022-03-21 13:11 UTC (permalink / raw)
To: qemu-devel, yuval.shaia.ml, marcel.apfelbaum, mcascell, wxhusst
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.
Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
hw/rdma/vmw/pvrdma_main.c | 9 +++++----
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 91206dbb8e..aae382af59 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
- sizeof(union pvrdma_cmd_req));
+ sizeof(union pvrdma_cmd_req));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
- sizeof(union pvrdma_cmd_resp));
+ sizeof(union pvrdma_cmd_resp));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
- sizeof(struct pvrdma_device_shared_region));
+ sizeof(struct pvrdma_device_shared_region));
dev->dsr_info.dsr = NULL;
}
@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
{
struct pvrdma_device_shared_region *dsr;
- if (dev->dsr_info.dsr == NULL) {
+ if (!dev->dsr_info.dsr) {
+ /* Buggy or malicious guest driver */
rdma_error_report("Can't initialized DSR");
return;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
2022-03-21 13:11 [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver Yuval Shaia
@ 2022-03-22 12:27 ` Marcel Apfelbaum
2022-03-29 10:10 ` [PATCH-for-7.0] " Philippe Mathieu-Daudé
0 siblings, 1 reply; 4+ messages in thread
From: Marcel Apfelbaum @ 2022-03-22 12:27 UTC (permalink / raw)
To: Yuval Shaia; +Cc: wxhusst, Mauro Matteo Cascella, qemu devel list
Hi Yuval
On Mon, Mar 21, 2022 at 2:11 PM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>
> Guest driver might execute HW commands when shared buffers are not yet
> allocated.
> This might happen on purpose (malicious guest) or because some other
> guest/host address mapping.
> We need to protect againts such case.
>
> Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
> hw/rdma/vmw/pvrdma_main.c | 9 +++++----
> 2 files changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index da7ddfa548..89db963c46 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>
> dsr_info = &dev->dsr_info;
>
> + if (!dsr_info->dsr) {
> + /* Buggy or malicious guest driver */
> + rdma_error_report("Exec command without dsr, req or rsp buffers");
> + goto out;
> + }
> +
> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
> sizeof(struct cmd_handler)) {
> rdma_error_report("Unsupported command");
> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
> index 91206dbb8e..aae382af59 100644
> --- a/hw/rdma/vmw/pvrdma_main.c
> +++ b/hw/rdma/vmw/pvrdma_main.c
> @@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
> free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
>
> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
> - sizeof(union pvrdma_cmd_req));
> + sizeof(union pvrdma_cmd_req));
>
> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
> - sizeof(union pvrdma_cmd_resp));
> + sizeof(union pvrdma_cmd_resp));
>
> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
> - sizeof(struct pvrdma_device_shared_region));
> + sizeof(struct pvrdma_device_shared_region));
>
Nit: the above changes are not related to the patch, maybe drop them?
Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Thanks,
Marcel
> dev->dsr_info.dsr = NULL;
> }
> @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
> {
> struct pvrdma_device_shared_region *dsr;
>
> - if (dev->dsr_info.dsr == NULL) {
> + if (!dev->dsr_info.dsr) {
> + /* Buggy or malicious guest driver */
> rdma_error_report("Can't initialized DSR");
> return;
> }
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest driver
2022-03-22 12:27 ` Marcel Apfelbaum
@ 2022-03-29 10:10 ` Philippe Mathieu-Daudé
0 siblings, 0 replies; 4+ messages in thread
From: Philippe Mathieu-Daudé @ 2022-03-29 10:10 UTC (permalink / raw)
To: Marcel Apfelbaum, Yuval Shaia
Cc: wxhusst, Peter Maydell, Mauro Matteo Cascella, qemu devel list
On 22/3/22 13:27, Marcel Apfelbaum wrote:
> Hi Yuval
>
> On Mon, Mar 21, 2022 at 2:11 PM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>>
>> Guest driver might execute HW commands when shared buffers are not yet
>> allocated.
>> This might happen on purpose (malicious guest) or because some other
>> guest/host address mapping.
>> We need to protect againts such case.
>>
Fixes: CVE-2022-1050
>> Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
>> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
>> ---
>> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
>> hw/rdma/vmw/pvrdma_main.c | 9 +++++----
>> 2 files changed, 11 insertions(+), 4 deletions(-)
>>
>> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>> index da7ddfa548..89db963c46 100644
>> --- a/hw/rdma/vmw/pvrdma_cmd.c
>> +++ b/hw/rdma/vmw/pvrdma_cmd.c
>> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>>
>> dsr_info = &dev->dsr_info;
>>
>> + if (!dsr_info->dsr) {
>> + /* Buggy or malicious guest driver */
>> + rdma_error_report("Exec command without dsr, req or rsp buffers");
>> + goto out;
>> + }
>> +
>> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
>> sizeof(struct cmd_handler)) {
>> rdma_error_report("Unsupported command");
>> diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
>> index 91206dbb8e..aae382af59 100644
>> --- a/hw/rdma/vmw/pvrdma_main.c
>> +++ b/hw/rdma/vmw/pvrdma_main.c
>> @@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
>> free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
>>
>> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
>> - sizeof(union pvrdma_cmd_req));
>> + sizeof(union pvrdma_cmd_req));
>>
>> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
>> - sizeof(union pvrdma_cmd_resp));
>> + sizeof(union pvrdma_cmd_resp));
>>
>> rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
>> - sizeof(struct pvrdma_device_shared_region));
>> + sizeof(struct pvrdma_device_shared_region));
>>
>
> Nit: the above changes are not related to the patch, maybe drop them?
Yes please.
>
> Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
>
> Thanks,
> Marcel
>
>> dev->dsr_info.dsr = NULL;
>> }
>> @@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
>> {
>> struct pvrdma_device_shared_region *dsr;
>>
>> - if (dev->dsr_info.dsr == NULL) {
>> + if (!dev->dsr_info.dsr) {
>> + /* Buggy or malicious guest driver */
>> rdma_error_report("Can't initialized DSR");
>> return;
>> }
>> --
>> 2.20.1
>>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
@ 2023-02-27 13:35 Yuval Shaia
0 siblings, 0 replies; 4+ messages in thread
From: Yuval Shaia @ 2023-02-27 13:35 UTC (permalink / raw)
To: qemu-devel, soulchen8650, secalert, mcascell, qemu-security,
yuval.shaia.ml, marcel.apfelbaum
Guest driver allocates and initialize page tables to be used as a ring
of descriptors for CQ and async events.
The page table that represents the ring, along with the number of pages
in the page table is passed to the device.
Currently our device supports only one page table for a ring.
Let's make sure that the number of page table entries the driver
reports, do not exceeds the one page table size.
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
hw/rdma/vmw/pvrdma_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 4fc6712025..e84d68a81f 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -98,12 +98,20 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
return -EINVAL;
}
+ if (num_pages > TARGET_PAGE_SIZE / sizeof(dma_addr_t)) {
+ rdma_error_report("Maximum pages on a single directory must not exceed %ld\n",
+ TARGET_PAGE_SIZE / sizeof(dma_addr_t));
+ return -EINVAL;
+ }
+
dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory (ring %s)", name);
rc = -ENOMEM;
goto out;
}
+
+ /* We support only one page table for a ring */
tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE);
if (!tbl) {
rdma_error_report("Failed to map to page table (ring %s)", name);
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-02-27 13:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 13:11 [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver Yuval Shaia
2022-03-22 12:27 ` Marcel Apfelbaum
2022-03-29 10:10 ` [PATCH-for-7.0] " Philippe Mathieu-Daudé
2023-02-27 13:35 [PATCH] " Yuval Shaia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.