From: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
To: "Yuval Shaia" <yuval.shaia.ml@gmail.com>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Peter Maydell" <peter.maydell@linaro.org>
Cc: wxhusst@gmail.com, Mauro Matteo Cascella <mcascell@redhat.com>,
qemu devel list <qemu-devel@nongnu.org>
Subject: Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Date: Tue, 5 Apr 2022 12:31:39 +0200 [thread overview]
Message-ID: <CAC_L=vXsKpai6Wr0Fi2r5sr4U+tshPB9VizqntDppqE=1_FbVQ@mail.gmail.com> (raw)
In-Reply-To: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Hi Yuval,
Thank you for the changes.
On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>
> Guest driver might execute HW commands when shared buffers are not yet
> allocated.
> This could happen on purpose (malicious guest) or because of some other
> guest/host address mapping error.
> We need to protect againts such case.
>
> Fixes: CVE-2022-1050
>
> Reported-by: Raven <wxhusst@gmail.com>
> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
> ---
> v1 -> v2:
> * Commit message changes
> v2 -> v3:
> * Exclude cosmetic changes
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index da7ddfa548..89db963c46 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>
> dsr_info = &dev->dsr_info;
>
> + if (!dsr_info->dsr) {
> + /* Buggy or malicious guest driver */
> + rdma_error_report("Exec command without dsr, req or rsp buffers");
> + goto out;
> + }
> +
> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
> sizeof(struct cmd_handler)) {
> rdma_error_report("Unsupported command");
> --
> 2.20.1
>
cc-ing Peter and Philippe for a question:
Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will
have to wait a week or so.
Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Thanks,
Marcel
next prev parent reply other threads:[~2022-04-05 10:37 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-03 9:52 [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver Yuval Shaia
2022-04-05 10:31 ` Marcel Apfelbaum [this message]
2022-12-07 15:05 ` Claudio Fontana
2022-12-19 9:57 ` Yuval Shaia
2022-12-19 11:21 ` Marcel Apfelbaum
2022-12-28 19:32 ` Thomas Huth
2023-01-16 17:50 ` Laurent Vivier
2023-05-15 16:08 ` Michael Tokarev
[not found] ` <147b4e5e-009a-7ab8-7dfc-ea7735319c97@tls.msk.ru>
2023-05-15 16:09 ` Michael Tokarev
2022-09-12 17:45 ` Michael Tokarev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC_L=vXsKpai6Wr0Fi2r5sr4U+tshPB9VizqntDppqE=1_FbVQ@mail.gmail.com' \
--to=marcel.apfelbaum@gmail.com \
--cc=mcascell@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=wxhusst@gmail.com \
--cc=yuval.shaia.ml@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.