hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

[PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Posted by Marcel Apfelbaum 2 years, 10 months ago

From: Marcel Apfelbaum <marcel@redhat.com>

Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.

Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
---
 hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index f59879e257..dadab4966b 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
         return NULL;
     }
 
+    length = ROUND_UP(length, TARGET_PAGE_SIZE);
+    if (nchunks * TARGET_PAGE_SIZE != length) {
+        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
+        return NULL;
+    }
+
     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory");
-- 
2.17.2

Re: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Posted by P J P 2 years, 10 months ago

On Wednesday, 16 June, 2021, 04:36:09 pm IST, Marcel Apfelbaum <marcel.apfelbaum@gmail.com> wrote:
>From: Marcel Apfelbaum <marcel@redhat.com>
>diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
>index f59879e257..dadab4966b 100644
>--- a/hw/rdma/vmw/pvrdma_cmd.c
>+++ b/hw/rdma/vmw/pvrdma_cmd.c
>@@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
>        return NULL;
>    }
>
>+    length = ROUND_UP(length, TARGET_PAGE_SIZE);
>+    if (nchunks * TARGET_PAGE_SIZE != length) {
>+        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks, length);
>+        return NULL;
>+    }
>+
>    dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
>    if (!dir) {
>        rdma_error_report("Failed to map to page directory");
>

Looks okay.
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>


Thank you.
---
  -P J P
http://feedmug.com

Re: [PATCH] hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Posted by Yuval Shaia 2 years, 10 months ago

Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

On Wed, 16 Jun 2021 at 14:06, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
wrote:

> From: Marcel Apfelbaum <marcel@redhat.com>
>
> Ensure mremap boundaries not trusting the guest kernel to
> pass the correct buffer length.
>
> Fixes: CVE-2021-3582
> Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
> ---
>  hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index f59879e257..dadab4966b 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev,
> uint64_t pdir_dma,
>          return NULL;
>      }
>
> +    length = ROUND_UP(length, TARGET_PAGE_SIZE);
> +    if (nchunks * TARGET_PAGE_SIZE != length) {
> +        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
> length);
> +        return NULL;
> +    }
> +
>      dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
>      if (!dir) {
>          rdma_error_report("Failed to map to page directory");
> --
> 2.17.2
>
>