Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest

From:	Philippe Mathieu-Daudé
Subject:	Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest driver
Date:	Tue, 29 Mar 2022 12:10:59 +0200
User-agent:	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0

On 22/3/22 13:27, Marcel Apfelbaum wrote:

Hi Yuval

On Mon, Mar 21, 2022 at 2:11 PM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:


Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.


Fixes: CVE-2022-1050

Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
---
  hw/rdma/vmw/pvrdma_cmd.c  | 6 ++++++
  hw/rdma/vmw/pvrdma_main.c | 9 +++++----
  2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index da7ddfa548..89db963c46 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)

      dsr_info = &dev->dsr_info;

+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                        sizeof(struct cmd_handler)) {
          rdma_error_report("Unsupported command");
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 91206dbb8e..aae382af59 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
      free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);

      rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
-                         sizeof(union pvrdma_cmd_req));
+                       sizeof(union pvrdma_cmd_req));

      rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
-                         sizeof(union pvrdma_cmd_resp));
+                       sizeof(union pvrdma_cmd_resp));

      rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
-                         sizeof(struct pvrdma_device_shared_region));
+                       sizeof(struct pvrdma_device_shared_region));


Nit: the above changes are not related to the patch, maybe drop them?


Yes please.


Reviewed-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

Thanks,
Marcel

      dev->dsr_info.dsr = NULL;
  }
@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
  {
      struct pvrdma_device_shared_region *dsr;

-    if (dev->dsr_info.dsr == NULL) {
+    if (!dev->dsr_info.dsr) {
+        /* Buggy or malicious guest driver */
          rdma_error_report("Can't initialized DSR");
          return;
      }
--
2.20.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia, 2022/03/21
- Re: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver, Marcel Apfelbaum, 2022/03/22
  - Re: [PATCH-for-7.0] hw/pvrdma: Protect against buggy or malicious guest driver, Philippe Mathieu-Daudé <=

Prev by Date: Re: [PATCH v7 02/17] qdev: unplug blocker for devices
Next by Date: Re: [PATCH for-7.0] main-loop: Disable GLOBAL_STATE_CODE() assertions
Previous by thread: Re: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
Next by thread: [PATCH] hw/sd/sdhci: Block Size Register bits [14:12] is lost
Index(es):
- Date
- Thread