[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest drive
From: |
Marcel Apfelbaum |
Subject: |
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver |
Date: |
Tue, 5 Apr 2022 12:31:39 +0200 |
Hi Yuval,
Thank you for the changes.
On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>
> Guest driver might execute HW commands when shared buffers are not yet
> allocated.
> This could happen on purpose (malicious guest) or because of some other
> guest/host address mapping error.
> We need to protect againts such case.
>
> Fixes: CVE-2022-1050
>
> Reported-by: Raven <wxhusst@gmail.com>
> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
> ---
> v1 -> v2:
> * Commit message changes
> v2 -> v3:
> * Exclude cosmetic changes
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index da7ddfa548..89db963c46 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>
> dsr_info = &dev->dsr_info;
>
> + if (!dsr_info->dsr) {
> + /* Buggy or malicious guest driver */
> + rdma_error_report("Exec command without dsr, req or rsp
> buffers");
> + goto out;
> + }
> +
> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
> sizeof(struct cmd_handler)) {
> rdma_error_report("Unsupported command");
> --
> 2.20.1
>
cc-ing Peter and Philippe for a question:
Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will
have to wait a week or so.
Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Thanks,
Marcel