diff options
| author | Yuval Shaia <yuval.shaia.ml@gmail.com> | 2022-04-03 12:52:34 +0300 |
|---|---|---|
| committer | Laurent Vivier <laurent@vivier.eu> | 2023-01-16 18:49:38 +0100 |
| commit | 31c4b6fb0293e359f9ef8a61892667e76eea4c99 (patch) | |
| tree | 166238b28d80f3fd481719f84364710830f766f3 /hw/rdma | |
| parent | daa500cab6a4f8fdaa1a0689a5d39a6b67213801 (diff) | |
| download | qemu-31c4b6fb0293e359f9ef8a61892667e76eea4c99.zip qemu-31c4b6fb0293e359f9ef8a61892667e76eea4c99.tar.gz qemu-31c4b6fb0293e359f9ef8a61892667e76eea4c99.tar.bz2 | |
hw/pvrdma: Protect against buggy or malicious guest driver
Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.
Fixes: CVE-2022-1050
Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Diffstat (limited to 'hw/rdma')
| -rw-r--r-- | hw/rdma/vmw/pvrdma_cmd.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index 1eca632..c6ed025 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -776,6 +776,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = &dev->dsr_info; + if (!dsr_info->dsr) { + /* Buggy or malicious guest driver */ + rdma_error_report("Exec command without dsr, req or rsp buffers"); + goto out; + } + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); |