Headline
CVE-2023-1544: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver
A flaw was found in the QEMU implementation of VMWare’s paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
From:
Yuval Shaia
Subject:
[PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver
Date:
Wed, 1 Mar 2023 16:29:26 +0200
Guest driver allocates and initialize page tables to be used as a ring of descriptors for CQ and async events. The page table that represents the ring, along with the number of pages in the page table is passed to the device. Currently our device supports only one page table for a ring.
Let’s make sure that the number of page table entries the driver reports, do not exceeds the one page table size.
Reported-by: Soul Chen [email protected] Signed-off-by: Yuval Shaia [email protected]
v0 -> v1: * Take ring-state into account * Add Reported-by
hw/rdma/vmw/pvrdma_main.c | 16 ++++++++++++++± 1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 4fc6712025…55b338046e 100644 — a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -91,19 +91,33 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, dma_addr_t dir_addr, uint32_t num_pages) { uint64_t *dir, *tbl;
- int rc = 0;
int max_pages, rc = 0;
if (!num_pages) { rdma_error_report(“Ring pages count must be strictly positive”); return -EINVAL; }
/*
\* Make sure we can satisfy the requested number of pages in a single
\* TARGET\_PAGE\_SIZE sized page table (taking into account that first entry
\* is reserved for ring-state)
\*/
max_pages = TARGET_PAGE_SIZE / sizeof(dma_addr_t) - 1;
if (num_pages > max_pages) {
rdma\_error\_report("Maximum pages on a single directory must not exceed
%d\n",
max\_pages);
return -EINVAL;
- }
- dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory (ring %s)", name); rc = -ENOMEM; goto out; }
- /* We support only one page table for a ring */ tbl = rdma_pci_dma_map(pci_dev, dir[0], TARGET_PAGE_SIZE); if (!tbl) { rdma_error_report("Failed to map to page table (ring %s)", name); – 2.20.1
[PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia <=
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Red Hat Product Security, 2023/03/13
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia, 2023/03/20
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Mauro Matteo Cascella, 2023/03/21
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Yuval Shaia, 2023/03/20
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Red Hat Product Security, 2023/03/20
- Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver, Red Hat Product Security, 2023/03/13
Prev by Date: Re: [PATCH 5/5] hw/audio/via-ac97: Basic implementation of audio playback
Next by Date: [PATCH] Add qemu qcode support for keys F13 to F24
Previous by thread: Re: [PATCH 5/5] hw/audio/via-ac97: Basic implementation of audio playback
Next by thread: Re: [PATCH v1] hw/pvrdma: Protect against buggy or malicious guest driver
Index(es):
- Date
- Thread
Related news
Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.
Ubuntu Security Notice 6567-2 - USN-6567-1 fixed vulnerabilities QEMU. The fix for CVE-2023-2861 was too restrictive and introduced a behavior change leading to a regression in certain environments. This update fixes the problem. Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. Various other issues were also addressed.
Ubuntu Security Notice 6567-1 - Gaoning Pan and Xingwei Li discovered that QEMU incorrectly handled the USB xHCI controller device. A privileged guest attacker could possibly use this issue to cause QEMU to crash, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that QEMU incorrectly handled the TCG Accelerator. A local attacker could use this issue to cause QEMU to crash, leading to a denial of service, or possibly execute arbitrary code and escalate privileges. This issue only affected Ubuntu 20.04 LTS.