On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia <[email protected]> wrote: > > Can anyone else pick this one?
Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Maybe it can go through the Misc tree? Thank you, Marcel > > Thanks, > Yuval > > On Wed, 7 Dec 2022 at 17:05, Claudio Fontana <[email protected]> wrote: >> >> On 4/5/22 12:31, Marcel Apfelbaum wrote: >> > Hi Yuval, >> > Thank you for the changes. >> > >> > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia <[email protected]> >> > wrote: >> >> >> >> Guest driver might execute HW commands when shared buffers are not yet >> >> allocated. >> >> This could happen on purpose (malicious guest) or because of some other >> >> guest/host address mapping error. >> >> We need to protect againts such case. >> >> >> >> Fixes: CVE-2022-1050 >> >> >> >> Reported-by: Raven <[email protected]> >> >> Signed-off-by: Yuval Shaia <[email protected]> >> >> --- >> >> v1 -> v2: >> >> * Commit message changes >> >> v2 -> v3: >> >> * Exclude cosmetic changes >> >> --- >> >> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ >> >> 1 file changed, 6 insertions(+) >> >> >> >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c >> >> index da7ddfa548..89db963c46 100644 >> >> --- a/hw/rdma/vmw/pvrdma_cmd.c >> >> +++ b/hw/rdma/vmw/pvrdma_cmd.c >> >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) >> >> >> >> dsr_info = &dev->dsr_info; >> >> >> >> + if (!dsr_info->dsr) { >> >> + /* Buggy or malicious guest driver */ >> >> + rdma_error_report("Exec command without dsr, req or rsp >> >> buffers"); >> >> + goto out; >> >> + } >> >> + >> >> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / >> >> sizeof(struct cmd_handler)) { >> >> rdma_error_report("Unsupported command"); >> >> -- >> >> 2.20.1 >> >> >> > >> > cc-ing Peter and Philippe for a question: >> > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will >> > have to wait a week or so. >> > >> > Reviewed by: Marcel Apfelbaum <[email protected]> >> > Thanks, >> > Marcel >> > >> >> Hi all, >> >> patch is reviewed, anything holding back the inclusion of this security fix? >> >> Thanks, >> >> Claudio
