[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 04/21] hw/pvrdma: Protect against buggy or malicious guest driver
From: |
Michael Tokarev |
Subject: |
[PATCH 04/21] hw/pvrdma: Protect against buggy or malicious guest driver |
Date: |
Thu, 13 Apr 2023 23:31:16 +0300 |
From: Yuval Shaia <yuval.shaia.ml@gmail.com>
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
(cherry picked from commit 31c4b6fb0293e359f9ef8a61892667e76eea4c99)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
--
2.30.2
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [PATCH 04/21] hw/pvrdma: Protect against buggy or malicious guest driver,
Michael Tokarev <=