* [PATCH v2] hw/pvrdma: Protect against buggy or malicious guest driver
@ 2022-04-03 9:32 Yuval Shaia
0 siblings, 0 replies; only message in thread
From: Yuval Shaia @ 2022-04-03 9:32 UTC (permalink / raw)
To: qemu-devel, yuval.shaia.ml, marcel.apfelbaum, mcascell, wxhusst
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
While there, fix some coding style errors.
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
v1 -> v2:
* Commit message changes
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
hw/rdma/vmw/pvrdma_main.c | 9 +++++----
2 files changed, 11 insertions(+), 4 deletions(-)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 91206dbb8e..aae382af59 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
- sizeof(union pvrdma_cmd_req));
+ sizeof(union pvrdma_cmd_req));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
- sizeof(union pvrdma_cmd_resp));
+ sizeof(union pvrdma_cmd_resp));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
- sizeof(struct pvrdma_device_shared_region));
+ sizeof(struct pvrdma_device_shared_region));
dev->dsr_info.dsr = NULL;
}
@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
{
struct pvrdma_device_shared_region *dsr;
- if (dev->dsr_info.dsr == NULL) {
+ if (!dev->dsr_info.dsr) {
+ /* Buggy or malicious guest driver */
rdma_error_report("Can't initialized DSR");
return;
}
--
2.20.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2022-04-03 9:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-03 9:32 [PATCH v2] hw/pvrdma: Protect against buggy or malicious guest driver Yuval Shaia
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).