File 0215-hw-rdma-Fix-possible-mremap-overflo.patch of Package qemu.28156
From: Marcel Apfelbaum <marcel@redhat.com>
Date: Wed, 16 Jun 2021 14:06:00 +0300
Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device
(CVE-2021-3582)
Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4
References: CVE-2021-3582 bsc#1187499
Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.
Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
[JRZ: changed from rdma_error_report to error_report]
Signed-off-by: Jose R Ziviani <jose.ziviani@suse.com>
---
hw/rdma/vmw/pvrdma_cmd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index a3a86d7c8e10b623ca6bbfa2ddee..a6f2f61420b380aa2ee8b6b80d3a 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -39,6 +39,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
return NULL;
}
+ length = ROUND_UP(length, TARGET_PAGE_SIZE);
+ if (nchunks * TARGET_PAGE_SIZE != length) {
+ error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+ (unsigned long)length);
+ return NULL;
+ }
+
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
error_report("PVRDMA: Failed to map to page directory");