Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest drive

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest drive

From:	Marcel Apfelbaum
Subject:	Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Date:	Mon, 19 Dec 2022 12:21:09 +0100

On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia <yuval.shaia.ml@gmail.com> wrote:
>
> Can anyone else pick this one?

Adding Thomas,

I dropped the ball with this one, I am sorry about that, maybe it
doesn't worth a Pull Request only for it.

Maybe it can go through the Misc tree?

Thank you,
Marcel


>
> Thanks,
> Yuval
>
> On Wed, 7 Dec 2022 at 17:05, Claudio Fontana <cfontana@suse.de> wrote:
>>
>> On 4/5/22 12:31, Marcel Apfelbaum wrote:
>> > Hi Yuval,
>> > Thank you for the changes.
>> >
>> > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <yuval.shaia.ml@gmail.com> 
>> > wrote:
>> >>
>> >> Guest driver might execute HW commands when shared buffers are not yet
>> >> allocated.
>> >> This could happen on purpose (malicious guest) or because of some other
>> >> guest/host address mapping error.
>> >> We need to protect againts such case.
>> >>
>> >> Fixes: CVE-2022-1050
>> >>
>> >> Reported-by: Raven <wxhusst@gmail.com>
>> >> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
>> >> ---
>> >> v1 -> v2:
>> >>         * Commit message changes
>> >> v2 -> v3:
>> >>         * Exclude cosmetic changes
>> >> ---
>> >>  hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
>> >>  1 file changed, 6 insertions(+)
>> >>
>> >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>> >> index da7ddfa548..89db963c46 100644
>> >> --- a/hw/rdma/vmw/pvrdma_cmd.c
>> >> +++ b/hw/rdma/vmw/pvrdma_cmd.c
>> >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
>> >>
>> >>      dsr_info = &dev->dsr_info;
>> >>
>> >> +    if (!dsr_info->dsr) {
>> >> +            /* Buggy or malicious guest driver */
>> >> +            rdma_error_report("Exec command without dsr, req or rsp 
>> >> buffers");
>> >> +            goto out;
>> >> +    }
>> >> +
>> >>      if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
>> >>                        sizeof(struct cmd_handler)) {
>> >>          rdma_error_report("Unsupported command");
>> >> --
>> >> 2.20.1
>> >>
>> >
>> > cc-ing Peter and Philippe for a question:
>> > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will
>> > have to wait a week or so.
>> >
>> > Reviewed by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
>> > Thanks,
>> > Marcel
>> >
>>
>> Hi all,
>>
>> patch is reviewed, anything holding back the inclusion of this security fix?
>>
>> Thanks,
>>
>> Claudio

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver, Claudio Fontana, 2022/12/07
- Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia, 2022/12/19
  - Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver, Marcel Apfelbaum <=
    - Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver, Thomas Huth, 2022/12/28

Prev by Date: Re: [PULL 00/21] Hexagon update: bug fixes, performance, idef-parser
Next by Date: Re: [PATCH] meson: Clean up some dependencies regarding qemu-system
Previous by thread: Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Next by thread: Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Index(es):
- Date
- Thread