1hw/pvrdma: Protect against buggy or malicious guest driver 2 3Guest driver might execute HW commands when shared buffers are not yet 4allocated. 5This might happen on purpose (malicious guest) or because some other 6guest/host address mapping. 7We need to protect againts such case. 8 9Reported-by: Mauro Matteo Cascella <mcascell@redhat.com> 10Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> 11 12CVE: CVE-2022-1050 13Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html] 14 15Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c 16=================================================================== 17--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c 18+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c 19@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) 20 21 dsr_info = &dev->dsr_info; 22 23+ if (!dsr_info->dsr) { 24+ /* Buggy or malicious guest driver */ 25+ rdma_error_report("Exec command without dsr, req or rsp buffers"); 26+ goto out; 27+ } 28+ 29 if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / 30 sizeof(struct cmd_handler)) { 31 rdma_error_report("Unsupported command"); 32Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c 33=================================================================== 34--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c 35+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c 36@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev 37 { 38 struct pvrdma_device_shared_region *dsr; 39 40- if (dev->dsr_info.dsr == NULL) { 41+ if (!dev->dsr_info.dsr) { 42+ /* Buggy or malicious guest driver */ 43 rdma_error_report("Can't initialized DSR"); 44 return; 45 } 46