Reviewed-by: Yuval Shaia <[email protected]> Tested-by: Yuval Shaia <[email protected]>
On Wed, 16 Jun 2021 at 14:06, Marcel Apfelbaum <[email protected]> wrote: > From: Marcel Apfelbaum <[email protected]> > > Ensure mremap boundaries not trusting the guest kernel to > pass the correct buffer length. > > Fixes: CVE-2021-3582 > Reported-by: VictorV (Kunlun Lab) <[email protected]> > Tested-by: VictorV (Kunlun Lab) <[email protected]> > Signed-off-by: Marcel Apfelbaum <[email protected]> > --- > hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index f59879e257..dadab4966b 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, > uint64_t pdir_dma, > return NULL; > } > > + length = ROUND_UP(length, TARGET_PAGE_SIZE); > + if (nchunks * TARGET_PAGE_SIZE != length) { > + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, > length); > + return NULL; > + } > + > dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); > if (!dir) { > rdma_error_report("Failed to map to page directory"); > -- > 2.17.2 > >
