[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device
From: |
Michael Roth |
Subject: |
[PATCH 62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582) |
Date: |
Tue, 19 Oct 2021 09:09:42 -0500 |
From: Marcel Apfelbaum <marcel@redhat.com>
Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.
Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 284f191b4abad213aed04cb0458e1600fd18d7c4)
Signed-off-by: Michael Roth <michael.roth@amd.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f59879e257..da7ddfa548 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t
pdir_dma,
return NULL;
}
+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
+ if (nchunks * TARGET_PAGE_SIZE != length) {
+ rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+ (unsigned long)length);
+ return NULL;
+ }
+
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory");
--
2.25.1
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), (continued)
- [PATCH 53/64] usb/redir: avoid dynamic stack allocation (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 54/64] usb: limit combined packets to 1 MiB (CVE-2021-3527), Michael Roth, 2021/10/19
- [PATCH 55/64] vhost-user-gpu: fix memory disclosure in virgl_cmd_get_capset_info (CVE-2021-3545), Michael Roth, 2021/10/19
- [PATCH 56/64] vhost-user-gpu: fix resource leak in 'vg_resource_create_2d' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 57/64] vhost-user-gpu: fix memory leak in vg_resource_attach_backing (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 58/64] vhost-user-gpu: fix memory leak while calling 'vg_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 59/64] vhost-user-gpu: fix memory leak in 'virgl_cmd_resource_unref' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 05/64] migration/rdma: Fix cm_event used before being initialized, Michael Roth, 2021/10/19
- [PATCH 60/64] vhost-user-gpu: fix memory leak in 'virgl_resource_attach_backing' (CVE-2021-3544), Michael Roth, 2021/10/19
- [PATCH 61/64] vhost-user-gpu: fix OOB write in 'virgl_cmd_get_capset' (CVE-2021-3546), Michael Roth, 2021/10/19
- [PATCH 62/64] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582),
Michael Roth <=
- [PATCH 63/64] pvrdma: Ensure correct input on ring init (CVE-2021-3607), Michael Roth, 2021/10/19
- [PATCH 64/64] pvrdma: Fix the ring init error flow (CVE-2021-3608), Michael Roth, 2021/10/19
- [PATCH 06/64] target/i386: Exit tb after wrmsr, Michael Roth, 2021/10/19
- [PATCH 07/64] target/ppc: Fix load endianness for lxvwsx/lxvdsx, Michael Roth, 2021/10/19
- [PATCH 08/64] vl: allow not specifying size in -m when using -M memory-backend, Michael Roth, 2021/10/19
- Re: [PATCH 00/64] Patch Round-up for stable 6.0.1, freeze on 2021-10-26, Ani Sinha, 2021/10/19
- Re: [PATCH 00/64] Patch Round-up for stable 6.0.1, freeze on 2021-10-26, Christian Schoenebeck, 2021/10/19