qemu-trivial
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest drive

From: Thomas Huth
Subject: Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Date: Wed, 28 Dec 2022 20:32:14 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 
On 19/12/2022 12.21, Marcel Apfelbaum wrote:

On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:


Can anyone else pick this one?


Adding Thomas,

I dropped the ball with this one, I am sorry about that, maybe it
doesn't worth a Pull Request only for it.


Why not? Pull request for single patches aren't that uncommon.


Maybe it can go through the Misc tree?
hw/rdma/ is really not my turf, but since the patch is small, it sounds like a good candidate for qemu-trivial, I think. 

 Thomas



On Wed, 7 Dec 2022 at 17:05, Claudio Fontana <cfontana@suse.de> wrote:


On 4/5/22 12:31, Marcel Apfelbaum wrote:

Hi Yuval,
Thank you for the changes.

On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:


Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.

Fixes: CVE-2022-1050

Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
v1 -> v2:
         * Commit message changes
v2 -> v3:
         * Exclude cosmetic changes
---
  hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
  1 file changed, 6 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

      dsr_info = &dev->dsr_info;

+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                        sizeof(struct cmd_handler)) {
          rdma_error_report("Unsupported command");
--
2.20.1



cc-ing Peter and Philippe for a question:
Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will
have to wait a week or so.

Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Thanks,
Marcel



Hi all,

patch is reviewed, anything holding back the inclusion of this security fix?

Thanks,

Claudio
reply via email to
[Prev in Thread] Current Thread [Next in Thread]