qemu/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch

From 38f8c09d9916e76d2907d68fbe69115aef3a5310 Mon Sep 17 00:00:00 2001
From: Yuval Shaia <yuval.shaia.ml@gmail.com>
Date: Sun, 3 Apr 2022 12:52:34 +0300
Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver

Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.

Fixes: CVE-2022-1050

Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
---
 hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
 
     dsr_info = &dev->dsr_info;
 
+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                       sizeof(struct cmd_handler)) {
         rdma_error_report("Unsupported command");
-- 
2.27.0
QEMU update to viersion 6.2.0-67(master) -bugfix: fix qmp command migrate-set-parameters -some bugfixs about ARM hot-plugged CPUs -hw/core/machine:Fix the missing consideration of cluster-id -test/tcg:Fix target-specific Makefile variable path for user-mode -tests:add (riscv virt) machine mapping to testenv -Make a litte improvement in curl and hw/riscv -qemu support for loongarch -hw/pvrdma: Protect against buggy or malious guest driver -hw/audio/intel-hda:fix stream reset -dsoundaudio:fix crackling audio recordings -add notify-vm-exit support for i386 -blok-backend: prevent dangling BDS pointers across aio_poll() -net:Fix uninitialized data usage -net/eth:Don't consider ESP to be an IPv6 option header -hw/net/vmxnet3:Log guest-triggerable errors using LOG_GUEST_ERROR Signed-off-by: FeiXu <xufei30@huawei.com> 2023-03-28 20:53:54 +08:00			`From 38f8c09d9916e76d2907d68fbe69115aef3a5310 Mon Sep 17 00:00:00 2001`
			`From: Yuval Shaia <yuval.shaia.ml@gmail.com>`
			`Date: Sun, 3 Apr 2022 12:52:34 +0300`
			`Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver`

			`Guest driver might execute HW commands when shared buffers are not yet`
			`allocated.`
			`This could happen on purpose (malicious guest) or because of some other`
			`guest/host address mapping error.`
			`We need to protect againts such case.`

			`Fixes: CVE-2022-1050`

			`Reported-by: Raven <wxhusst@gmail.com>`
			`Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>`
			`Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>`
			`Signed-off-by: Laurent Vivier <laurent@vivier.eu>`
			`Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>`
			`---`
			`hw/rdma/vmw/pvrdma_cmd.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c`
			`index da7ddfa548..89db963c46 100644`
			`--- a/hw/rdma/vmw/pvrdma_cmd.c`
			`+++ b/hw/rdma/vmw/pvrdma_cmd.c`
			`@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)`

			`dsr_info = &dev->dsr_info;`

			`+ if (!dsr_info->dsr) {`
			`+ /* Buggy or malicious guest driver */`
			`+ rdma_error_report("Exec command without dsr, req or rsp buffers");`
			`+ goto out;`
			`+ }`
			`+`
			`if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /`
			`sizeof(struct cmd_handler)) {`
			`rdma_error_report("Unsupported command");`
			`--`
			`2.27.0`