diff options
Diffstat (limited to 'meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch')
-rw-r--r-- | meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch deleted file mode 100644 index 810c74fabd..0000000000 --- a/meta/recipes-devtools/qemu/qemu/0010-hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch +++ /dev/null @@ -1,43 +0,0 @@ -CVE: CVE-2022-1050 -Upstream-Status: Submitted [https://lore.kernel.org/qemu-devel/20220403095234.2210-1-yuval.shaia.ml@gmail.com/] -Signed-off-by: Ross Burton <ross.burton@arm.com> - -From dbdef95c272e8f3ec037c3db4197c66002e30995 Mon Sep 17 00:00:00 2001 -From: Yuval Shaia <yuval.shaia.ml@gmail.com> -Date: Sun, 3 Apr 2022 12:52:34 +0300 -Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver - -Guest driver might execute HW commands when shared buffers are not yet -allocated. -This could happen on purpose (malicious guest) or because of some other -guest/host address mapping error. -We need to protect againts such case. - -Fixes: CVE-2022-1050 - -Reported-by: Raven <wxhusst@gmail.com> -Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com> ---- - hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c -index da7ddfa548..89db963c46 100644 ---- a/hw/rdma/vmw/pvrdma_cmd.c -+++ b/hw/rdma/vmw/pvrdma_cmd.c -@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) - - dsr_info = &dev->dsr_info; - -+ if (!dsr_info->dsr) { -+ /* Buggy or malicious guest driver */ -+ rdma_error_report("Exec command without dsr, req or rsp buffers"); -+ goto out; -+ } -+ - if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / - sizeof(struct cmd_handler)) { - rdma_error_report("Unsupported command"); --- -2.34.1 - |