1CVE: CVE-2022-1050 2Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] 3Signed-off-by: Ross Burton <ross.burton@arm.com> 4 5From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 6From: Yuval Shaia <yuval.shaia.ml@gmail.com> 7Date: Sun, 3 Apr 2022 12:52:34 +0300 8Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver 9 10Guest driver might execute HW commands when shared buffers are not yet 11allocated. 12This could happen on purpose (malicious guest) or because of some other 13guest/host address mapping error. 14We need to protect againts such case. 15 16Fixes: CVE-2022-1050 17 18Reported-by: Raven <wxhusst@gmail.com> 19Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> 20--- 21 hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ 22 1 file changed, 6 insertions(+) 23 24Index: qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c 25=================================================================== 26--- qemu-8.0.0.orig/hw/rdma/vmw/pvrdma_cmd.c 27+++ qemu-8.0.0/hw/rdma/vmw/pvrdma_cmd.c 28@@ -782,6 +782,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) 29 goto out; 30 } 31 32+ if (!dsr_info->dsr) { 33+ /* Buggy or malicious guest driver */ 34+ rdma_error_report("Exec command without dsr, req or rsp buffers"); 35+ goto out; 36+ } 37+ 38 if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / 39 sizeof(struct cmd_handler)) { 40 rdma_error_report("Unsupported command"); 41