File 0268-hw-pvrdma-Protect-against-buggy-or-.patch of Package qemu.30219

From: Li Zhang <lizhang@suse.de>
Date: Mon, 21 Aug 2023 09:58:58 +0200
Subject: hw/pvrdma: Protect against buggy or malicious guest driver

Guest driver might execute HW commands when shared buffers are not yet
allocated.
This could happen on purpose (malicious guest) or because of some other
guest/host address mapping error.
We need to protect againts such case.

Fixes: CVE-2022-1050

Reported-by: Raven <wxhusst@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Li Zhang <lizhang@suse.de>
---
 hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index a6f2f61420b380aa2ee8b6b80d3a..08d573e1a11a6e873925159e4d74 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -715,6 +715,12 @@ int execute_command(PVRDMADev *dev)
 
     dsr_info = &dev->dsr_info;
 
+    if (!dsr_info->dsr) {
+        /* Buggy or malicious guest driver */
+        pr_dbg("Exec command without dsr, req or rsp buffers");
+        goto out;
+    }
+
     pr_dbg("cmd=%d\n", dsr_info->req->hdr.cmd);
     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                       sizeof(struct cmd_handler)) {