Reviewed-by: Yuval Shaia <yuval.shaia...@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia...@gmail.com>
On Wed, 16 Jun 2021 at 14:06, Marcel Apfelbaum <marcel.apfelb...@gmail.com>
wrote:
> From: Marcel Apfelbaum <mar...@redhat.com>
>
> Ensure mremap boundaries not trusting the guest kernel to
> pass the correct buffer length.
>
> Fixes: CVE-2021-3582
> Reported-by: VictorV (Kunlun Lab) <vv474172...@gmail.com>
> Tested-by: VictorV (Kunlun Lab) <vv474172...@gmail.com>
> Signed-off-by: Marcel Apfelbaum <mar...@redhat.com>
> ---
> hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
> index f59879e257..dadab4966b 100644
> --- a/hw/rdma/vmw/pvrdma_cmd.c
> +++ b/hw/rdma/vmw/pvrdma_cmd.c
> @@ -38,6 +38,12 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev,
> uint64_t pdir_dma,
> return NULL;
> }
>
> + length = ROUND_UP(length, TARGET_PAGE_SIZE);
> + if (nchunks * TARGET_PAGE_SIZE != length) {
> + rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
> length);
> + return NULL;
> + }
> +
> dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
> if (!dir) {
> rdma_error_report("Failed to map to page directory");
> --
> 2.17.2
>
>
