hw/pvrdma: Protect against buggy or malicious guest driver (CVE-2022-1050)

Fix CVE-2022-1050 Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
2023-05-12 16:34:35 +08:00 · 2023-05-12 16:34:35 +08:00 · d8da2eaa57
commit d8da2eaa57
parent 85af3a887e
2 changed files with 47 additions and 1 deletions
--- a/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
+++ b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
@ -0,0 +1,42 @@
+From 16bea8df3ea108990e1cd9729cf7c141a9852dee Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Sun, 3 Apr 2022 12:52:34 +0300
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver might execute HW commands when shared buffers are not yet
+allocated.
+This could happen on purpose (malicious guest) or because of some other
+guest/host address mapping error.
+We need to protect againts such case.
+
+Fixes: CVE-2022-1050
+
+Reported-by: Raven <wxhusst@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index dca8f36693..99be9657e3 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -797,6 +797,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+ 
+     dsr_info = &dev->dsr_info;
+ 
+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
+     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+                       sizeof(struct cmd_handler)) {
+         rdma_error_report("Unsupported command");
+-- 
+2.36.1
+
--- a/qemu.spec
+++ b/qemu.spec
@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 76
+Release: 77
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -382,6 +382,7 @@ Patch0369: hw-display-qxl-Document-qxl_phys2virt.patch
 Patch0370: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
 Patch0371: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch
 Patch0372: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch
+Patch0373: hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch

 BuildRequires: flex
 BuildRequires: bison
@ -782,6 +783,9 @@ getent passwd qemu >/dev/null || \
 %endif

 %changelog
+* Thu May 18 2023 liuxiangdong <liuxiangdong5@huawei.com>
+- hw/pvrdma: Protect against buggy or malicious guest driver (CVE-2022-1050)
+
 * Mon Dec 05 2022 yezengruan <yezengruan@huawei.com>
 - fix CVE-2022-4144