CVE-2023-1544: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

From:

Yuval Shaia

Subject:

[PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver

Date:

Wed, 1 Mar 2023 16:29:26 +0200

Guest driver allocates and initialize page tables to be used as a ring of descriptors for CQ and async events. The page table that represents the ring, along with the number of pages in the page table is passed to the device. Currently our device supports only one page table for a ring.

Let’s make sure that the number of page table entries the driver reports, do not exceeds the one page table size.

Reported-by: Soul Chen [email protected] Signed-off-by: Yuval Shaia [email protected]

---

v0 -> v1: * Take ring-state into account * Add Reported-by

---

hw/rdma/vmw/pvrdma_main.c | 16 ++++++++++++++± 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 4fc6712025…55b338046e 100644 — a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, dma_addr_t dir_addr, uint32_t num_pages) { uint64_t *dir, *tbl;

• int rc = 0;

• int max_pages, rc = 0;

  if (!num_pages) { rdma_error_report(“Ring pages count must be strictly positive”); return -EINVAL; }

• /*

• \* Make sure we can satisfy the requested number of pages in a single
  

• \* TARGET\_PAGE\_SIZE sized page table (taking into account that first entry
  

• \* is reserved for ring-state)
  

• \*/
  

• max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;

• if (num_pages > max_pages) {

•    rdma\_error\_report("Maximum pages on a single directory must not exceed 
  

%d\n",

•                      max\_pages);
  

•    return -EINVAL;
  

• }
• dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory (ring %s)", name); rc = -ENOMEM; goto out; }
• /* We support only one page table for a ring */ tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); if (!tbl) { rdma_error_report("Failed to map to page table (ring %s)", name); – 2.20.1

• [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia <=

  • Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Red Hat Product Security, 2023/03/13
    • Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia, 2023/03/20
      • Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Mauro Matteo Cascella, 2023/03/21
  • Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Red Hat Product Security, 2023/03/20

• Prev by Date: Re: [PATCH 5/5] hw/audio/via-ac97: Basic implementation of audio playback

• Next by Date: [PATCH] Add qemu qcode support for keys F13 to F24

• Previous by thread: Re: [PATCH 5/5] hw/audio/via-ac97: Basic implementation of audio playback

• Next by thread: Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver

• Index(es):

  • Date
  • Thread