@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
dsr_info = &dev->dsr_info;
+ if (!dsr_info->dsr) {
+ /* Buggy or malicious guest driver */
+ rdma_error_report("Exec command without dsr, req or rsp buffers");
+ goto out;
+ }
+
if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
sizeof(struct cmd_handler)) {
rdma_error_report("Unsupported command");
@@ -159,13 +159,13 @@ static void free_dsr(PVRDMADev *dev)
free_dev_ring(pci_dev, &dev->dsr_info.cq, dev->dsr_info.cq_ring_state);
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.req,
- sizeof(union pvrdma_cmd_req));
+ sizeof(union pvrdma_cmd_req));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.rsp,
- sizeof(union pvrdma_cmd_resp));
+ sizeof(union pvrdma_cmd_resp));
rdma_pci_dma_unmap(pci_dev, dev->dsr_info.dsr,
- sizeof(struct pvrdma_device_shared_region));
+ sizeof(struct pvrdma_device_shared_region));
dev->dsr_info.dsr = NULL;
}
@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev *dev)
{
struct pvrdma_device_shared_region *dsr;
- if (dev->dsr_info.dsr == NULL) {
+ if (!dev->dsr_info.dsr) {
+ /* Buggy or malicious guest driver */
rdma_error_report("Can't initialized DSR");
return;
}
Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 While there, fix some coding style errors. Reported-by: Raven <wxhusst@gmail.com> Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> --- v1 -> v2: * Commit message changes --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ hw/rdma/vmw/pvrdma_main.c | 9 +++++---- 2 files changed, 11 insertions(+), 4 deletions(-)