| Message ID | 20210616110600.20889-1-marcel.apfelbaum@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) | expand |
On Wednesday, 16 June, 2021, 04:36:09 pm IST, Marcel Apfelbaum <marcel.apfelbaum@gmail.com> wrote: >From: Marcel Apfelbaum <marcel@redhat.com> >diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c >index f59879e257..dadab4966b 100644 >--- a/hw/rdma/vmw/pvrdma_cmd.c >+++ b/hw/rdma/vmw/pvrdma_cmd.c >@@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, > return NULL; > } > >+ length = ROUND_UP(length, TARGET_PAGE_SIZE); >+ if (nchunks * TARGET_PAGE_SIZE != length) { >+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length); >+ return NULL; >+ } >+ > dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); > if (!dir) { > rdma_error_report("Failed to map to page directory"); > Looks okay. Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Thank you. --- -P J P http://feedmug.com
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> On Wed, 16 Jun 2021 at 14:06, Marcel Apfelbaum <marcel.apfelbaum@gmail.com> wrote: > From: Marcel Apfelbaum <marcel@redhat.com> > > Ensure mremap boundaries not trusting the guest kernel to > pass the correct buffer length. > > Fixes: CVE-2021-3582 > Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> > Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> > Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> > --- > hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index f59879e257..dadab4966b 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, > uint64_t pdir_dma, > return NULL; > } > > + length = ROUND_UP(length, TARGET_PAGE_SIZE); > + if (nchunks * TARGET_PAGE_SIZE != length) { > + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, > length); > + return NULL; > + } > + > dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); > if (!dir) { > rdma_error_report("Failed to map to page directory"); > -- > 2.17.2 > >
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index f59879e257..dadab4966b 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma, return NULL; } + length = ROUND_UP(length, TARGET_PAGE_SIZE); + if (nchunks * TARGET_PAGE_SIZE != length) { + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length); + return NULL; + } + dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory");