]> git.ipfire.org Git - thirdparty/qemu.git/commitdiff
projects / thirdparty / qemu.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d25db58)
pvrdma: Ensure correct input on ring init (CVE-2021-3607)
authorMarcel Apfelbaum <marcel.apfelbaum@gmail.com>
Wed, 30 Jun 2021 11:46:34 +0000 (14:46 +0300)
committerMichael Roth <michael.roth@amd.com>
Mon, 18 Oct 2021 01:27:24 +0000 (20:27 -0500)
Check the guest passed a non zero page count
for pvrdma device ring buffers.

Fixes: CVE-2021-3607
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Reviewed-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210630114634.2168872-1-marcel@redhat.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 32e5703cfea07c91e6e84bcb0313f633bb146534)
Signed-off-by: Michael Roth <michael.roth@amd.com>
hw/rdma/vmw/pvrdma_main.c patch | blob | blame | history

diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fcfd86c535aeacc7198af7edb9800835..7c0c3551a8a4952397e1202cfc9fa62ced28cfae 100644 (file)
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state,
     uint64_t *dir, *tbl;
     int rc = 0;
 
+    if (!num_pages) {
+        rdma_error_report("Ring pages count must be strictly positive");
+        return -EINVAL;
+    }
+
     dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory (ring %s)", name);
Mirror of https://git.qemu.org/git/qemu.git