* [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
@ 2021-06-16 11:06 Marcel Apfelbaum
2021-06-17 9:38 ` P J P
2021-06-18 9:03 ` Yuval Shaia
0 siblings, 2 replies; 3+ messages in thread
From: Marcel Apfelbaum @ 2021-06-16 11:06 UTC (permalink / raw)
To: qemu-devel; +Cc: mcascell, pjp, mst, yuval.shaia.ml, vv474172261
From: Marcel Apfelbaum <marcel@redhat.com>
Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.
Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f59879e257..dadab4966b 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
return NULL;
}
+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
+ if (nchunks * TARGET_PAGE_SIZE != length) {
+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
+ return NULL;
+ }
+
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory");
--
2.17.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
2021-06-16 11:06 [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Marcel Apfelbaum
@ 2021-06-17 9:38 ` P J P
2021-06-18 9:03 ` Yuval Shaia
1 sibling, 0 replies; 3+ messages in thread
From: P J P @ 2021-06-17 9:38 UTC (permalink / raw)
To: qemu-devel, Marcel Apfelbaum; +Cc: vv474172261, mcascell, yuval.shaia.ml, mst
On Wednesday, 16 June, 2021, 04:36:09 pm IST, Marcel Apfelbaum <marcel.apfelbaum@gmail.com> wrote:
>From: Marcel Apfelbaum <marcel@redhat.com>
>diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>index f59879e257..dadab4966b 100644
>--- a/hw/rdma/vmw/pvrdma_cmd.c
>+++ b/hw/rdma/vmw/pvrdma_cmd.c
>@@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
> return NULL;
> }
>
>+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
>+ if (nchunks * TARGET_PAGE_SIZE != length) {
>+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
>+ return NULL;
>+ }
>+
> dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
> if (!dir) {
> rdma_error_report("Failed to map to page directory");
>
Looks okay.
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Thank you.
---
-P J P
http://feedmug.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
2021-06-16 11:06 [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Marcel Apfelbaum
2021-06-17 9:38 ` P J P
@ 2021-06-18 9:03 ` Yuval Shaia
1 sibling, 0 replies; 3+ messages in thread
From: Yuval Shaia @ 2021-06-18 9:03 UTC (permalink / raw)
To: Marcel Apfelbaum
Cc: vv474172261, pjp, mcascell, QEMU Developers, Michael S. Tsirkin
[-- Attachment #1: Type: text/plain, Size: 1296 bytes --]
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
On Wed, 16 Jun 2021 at 14:06, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
wrote:
> From: Marcel Apfelbaum <marcel@redhat.com>
>
> Ensure mremap boundaries not trusting the guest kernel to
> pass the correct buffer length.
>
> Fixes: CVE-2021-3582
> Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index f59879e257..dadab4966b 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev,
> uint64_t pdir_dma,
> return NULL;
> }
>
> + length = ROUND_UP(length, TARGET_PAGE_SIZE);
> + if (nchunks * TARGET_PAGE_SIZE != length) {
> + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
> length);
> + return NULL;
> + }
> +
> dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
> if (!dir) {
> rdma_error_report("Failed to map to page directory");
> --
> 2.17.2
>
>
[-- Attachment #2: Type: text/html, Size: 2114 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-06-18 9:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-16 11:06 [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) Marcel Apfelbaum
2021-06-17 9:38 ` P J P
2021-06-18 9:03 ` Yuval Shaia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).