packages/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw/pvrdma: Protect against buggy or malicious guest driver (CVE-2022-1050)

Browse Source 
Fix CVE-2022-1050

Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
This commit is contained in:
liuxiangdong 2023-05-12 16:34:35 +08:00
parent 85af3a887e
commit d8da2eaa57
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch Normal file
View File

@ -0,0 +1,42 @@
From 16bea8df3ea108990e1cd9729cf7c141a9852dee Mon Sep 17 00:00:00 2001
From: Yuval Shaia <yuval.shaia.ml@gmail.com>
Date: Sun, 3 Apr 2022 12:52:34 +0300
Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index dca8f36693..99be9657e3 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -797,6 +797,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
--
2.36.1

6
qemu.spec
View File

@ -1,6 +1,6 @@
Name: qemu Name: qemu
Version: 4.1.0 Version: 4.1.0
Release: 76 Release: 77
Epoch: 10 Epoch: 10
Summary: QEMU is a generic and open source machine emulator and virtualizer Summary: QEMU is a generic and open source machine emulator and virtualizer
License: GPLv2 and BSD and MIT and CC-BY-SA-4.0 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@ -382,6 +382,7 @@ Patch0369: hw-display-qxl-Document-qxl_phys2virt.patch
Patch0370: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch Patch0370: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
Patch0371: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch Patch0371: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch
Patch0372: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch Patch0372: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch
Patch0373: hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
BuildRequires: flex BuildRequires: flex
BuildRequires: bison BuildRequires: bison
@ -782,6 +783,9 @@ getent passwd qemu >/dev/null || \
%endif %endif
%changelog %changelog
* Thu May 18 2023 liuxiangdong <liuxiangdong5@huawei.com>
- hw/pvrdma: Protect against buggy or malicious guest driver (CVE-2022-1050)
* Mon Dec 05 2022 yezengruan <yezengruan@huawei.com> * Mon Dec 05 2022 yezengruan <yezengruan@huawei.com>
- fix CVE-2022-4144 - fix CVE-2022-4144