[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest drive
From: |
Marcel Apfelbaum |
Subject: |
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver |
Date: |
Mon, 19 Dec 2022 12:21:09 +0100 |
On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>
> Can anyone else pick this one?
Adding Thomas,
I dropped the ball with this one, I am sorry about that, maybe it
doesn't worth a Pull Request only for it.
Maybe it can go through the Misc tree?
Thank you,
Marcel
>
> Thanks,
> Yuval
>
> On Wed, 7 Dec 2022 at 17:05, Claudio Fontana <cfontana@suse.de> wrote:
>>
>> On 4/5/22 12:31, Marcel Apfelbaum wrote:
>> > Hi Yuval,
>> > Thank you for the changes.
>> >
>> > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com>
>> > wrote:
>> >>
>> >> Guest driver might execute HW commands when shared buffers are not yet
>> >> allocated.
>> >> This could happen on purpose (malicious guest) or because of some other
>> >> guest/host address mapping error.
>> >> We need to protect againts such case.
>> >>
>> >> Fixes: CVE-2022-1050
>> >>
>> >> Reported-by: Raven <wxhusst@gmail.com>
>> >> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
>> >> ---
>> >> v1 -> v2:
>> >> * Commit message changes
>> >> v2 -> v3:
>> >> * Exclude cosmetic changes
>> >> ---
>> >> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
>> >> 1 file changed, 6 insertions(+)
>> >>
>> >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>> >> index da7ddfa548..89db963c46 100644
>> >> --- a/hw/rdma/vmw/pvrdma_cmd.c
>> >> +++ b/hw/rdma/vmw/pvrdma_cmd.c
>> >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>> >>
>> >> dsr_info = &dev->dsr_info;
>> >>
>> >> + if (!dsr_info->dsr) {
>> >> + /* Buggy or malicious guest driver */
>> >> + rdma_error_report("Exec command without dsr, req or rsp
>> >> buffers");
>> >> + goto out;
>> >> + }
>> >> +
>> >> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
>> >> sizeof(struct cmd_handler)) {
>> >> rdma_error_report("Unsupported command");
>> >> --
>> >> 2.20.1
>> >>
>> >
>> > cc-ing Peter and Philippe for a question:
>> > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will
>> > have to wait a week or so.
>> >
>> > Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
>> > Thanks,
>> > Marcel
>> >
>>
>> Hi all,
>>
>> patch is reviewed, anything holding back the inclusion of this security fix?
>>
>> Thanks,
>>
>> Claudio