Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
15.05.2023 19:08, Michael Tokarev пишет: 16.01.2023 20:50, Laurent Vivier wrote: Le 28/12/2022 à 20:32, Thomas Huth a écrit : On 19/12/2022 12.21, Marcel Apfelbaum wrote: On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia wrote: Can anyone else pick this one? Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Why not? Pull request for single patches aren't that uncommon. Maybe it can go through the Misc tree? hw/rdma/ is really not my turf, but since the patch is small, it sounds like a good candidate for qemu-trivial, I think. Applied to my trivial-patches branch. Has it been forgotten again? :) Ah nope. There are 2 patches with the same subject, always confusing. This one is applied. /mjt
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
16.01.2023 20:50, Laurent Vivier wrote: Le 28/12/2022 à 20:32, Thomas Huth a écrit : On 19/12/2022 12.21, Marcel Apfelbaum wrote: On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia wrote: Can anyone else pick this one? Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Why not? Pull request for single patches aren't that uncommon. Maybe it can go through the Misc tree? hw/rdma/ is really not my turf, but since the patch is small, it sounds like a good candidate for qemu-trivial, I think. Applied to my trivial-patches branch. Has it been forgotten again? :) /mjt
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Le 28/12/2022 à 20:32, Thomas Huth a écrit : On 19/12/2022 12.21, Marcel Apfelbaum wrote: On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia wrote: Can anyone else pick this one? Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Why not? Pull request for single patches aren't that uncommon. Maybe it can go through the Misc tree? hw/rdma/ is really not my turf, but since the patch is small, it sounds like a good candidate for qemu-trivial, I think. Applied to my trivial-patches branch. Thanks, Laurent Thomas On Wed, 7 Dec 2022 at 17:05, Claudio Fontana wrote: On 4/5/22 12:31, Marcel Apfelbaum wrote: Hi Yuval, Thank you for the changes. On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia wrote: Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 Reported-by: Raven Signed-off-by: Yuval Shaia --- v1 -> v2: * Commit message changes v2 -> v3: * Exclude cosmetic changes --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index da7ddfa548..89db963c46 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = >dsr_info; + if (!dsr_info->dsr) { + /* Buggy or malicious guest driver */ + rdma_error_report("Exec command without dsr, req or rsp buffers"); + goto out; + } + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); -- 2.20.1 cc-ing Peter and Philippe for a question: Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will have to wait a week or so. Reviewed by: Marcel Apfelbaum Thanks, Marcel Hi all, patch is reviewed, anything holding back the inclusion of this security fix? Thanks, Claudio
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
On 19/12/2022 12.21, Marcel Apfelbaum wrote: On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia wrote: Can anyone else pick this one? Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Why not? Pull request for single patches aren't that uncommon. Maybe it can go through the Misc tree? hw/rdma/ is really not my turf, but since the patch is small, it sounds like a good candidate for qemu-trivial, I think. Thomas On Wed, 7 Dec 2022 at 17:05, Claudio Fontana wrote: On 4/5/22 12:31, Marcel Apfelbaum wrote: Hi Yuval, Thank you for the changes. On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia wrote: Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 Reported-by: Raven Signed-off-by: Yuval Shaia --- v1 -> v2: * Commit message changes v2 -> v3: * Exclude cosmetic changes --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index da7ddfa548..89db963c46 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = >dsr_info; +if (!dsr_info->dsr) { +/* Buggy or malicious guest driver */ +rdma_error_report("Exec command without dsr, req or rsp buffers"); +goto out; +} + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); -- 2.20.1 cc-ing Peter and Philippe for a question: Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will have to wait a week or so. Reviewed by: Marcel Apfelbaum Thanks, Marcel Hi all, patch is reviewed, anything holding back the inclusion of this security fix? Thanks, Claudio
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
On Mon, Dec 19, 2022 at 10:57 AM Yuval Shaia wrote: > > Can anyone else pick this one? Adding Thomas, I dropped the ball with this one, I am sorry about that, maybe it doesn't worth a Pull Request only for it. Maybe it can go through the Misc tree? Thank you, Marcel > > Thanks, > Yuval > > On Wed, 7 Dec 2022 at 17:05, Claudio Fontana wrote: >> >> On 4/5/22 12:31, Marcel Apfelbaum wrote: >> > Hi Yuval, >> > Thank you for the changes. >> > >> > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia >> > wrote: >> >> >> >> Guest driver might execute HW commands when shared buffers are not yet >> >> allocated. >> >> This could happen on purpose (malicious guest) or because of some other >> >> guest/host address mapping error. >> >> We need to protect againts such case. >> >> >> >> Fixes: CVE-2022-1050 >> >> >> >> Reported-by: Raven >> >> Signed-off-by: Yuval Shaia >> >> --- >> >> v1 -> v2: >> >> * Commit message changes >> >> v2 -> v3: >> >> * Exclude cosmetic changes >> >> --- >> >> hw/rdma/vmw/pvrdma_cmd.c | 6 ++ >> >> 1 file changed, 6 insertions(+) >> >> >> >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c >> >> index da7ddfa548..89db963c46 100644 >> >> --- a/hw/rdma/vmw/pvrdma_cmd.c >> >> +++ b/hw/rdma/vmw/pvrdma_cmd.c >> >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) >> >> >> >> dsr_info = >dsr_info; >> >> >> >> +if (!dsr_info->dsr) { >> >> +/* Buggy or malicious guest driver */ >> >> +rdma_error_report("Exec command without dsr, req or rsp >> >> buffers"); >> >> +goto out; >> >> +} >> >> + >> >> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / >> >>sizeof(struct cmd_handler)) { >> >> rdma_error_report("Unsupported command"); >> >> -- >> >> 2.20.1 >> >> >> > >> > cc-ing Peter and Philippe for a question: >> > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will >> > have to wait a week or so. >> > >> > Reviewed by: Marcel Apfelbaum >> > Thanks, >> > Marcel >> > >> >> Hi all, >> >> patch is reviewed, anything holding back the inclusion of this security fix? >> >> Thanks, >> >> Claudio
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Can anyone else pick this one? Thanks, Yuval On Wed, 7 Dec 2022 at 17:05, Claudio Fontana wrote: > On 4/5/22 12:31, Marcel Apfelbaum wrote: > > Hi Yuval, > > Thank you for the changes. > > > > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia > wrote: > >> > >> Guest driver might execute HW commands when shared buffers are not yet > >> allocated. > >> This could happen on purpose (malicious guest) or because of some other > >> guest/host address mapping error. > >> We need to protect againts such case. > >> > >> Fixes: CVE-2022-1050 > >> > >> Reported-by: Raven > >> Signed-off-by: Yuval Shaia > >> --- > >> v1 -> v2: > >> * Commit message changes > >> v2 -> v3: > >> * Exclude cosmetic changes > >> --- > >> hw/rdma/vmw/pvrdma_cmd.c | 6 ++ > >> 1 file changed, 6 insertions(+) > >> > >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > >> index da7ddfa548..89db963c46 100644 > >> --- a/hw/rdma/vmw/pvrdma_cmd.c > >> +++ b/hw/rdma/vmw/pvrdma_cmd.c > >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > >> > >> dsr_info = >dsr_info; > >> > >> +if (!dsr_info->dsr) { > >> +/* Buggy or malicious guest driver */ > >> +rdma_error_report("Exec command without dsr, req or rsp > buffers"); > >> +goto out; > >> +} > >> + > >> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / > >>sizeof(struct cmd_handler)) { > >> rdma_error_report("Unsupported command"); > >> -- > >> 2.20.1 > >> > > > > cc-ing Peter and Philippe for a question: > > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will > > have to wait a week or so. > > > > Reviewed by: Marcel Apfelbaum > > Thanks, > > Marcel > > > > Hi all, > > patch is reviewed, anything holding back the inclusion of this security > fix? > > Thanks, > > Claudio >
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
On 4/5/22 12:31, Marcel Apfelbaum wrote: > Hi Yuval, > Thank you for the changes. > > On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia wrote: >> >> Guest driver might execute HW commands when shared buffers are not yet >> allocated. >> This could happen on purpose (malicious guest) or because of some other >> guest/host address mapping error. >> We need to protect againts such case. >> >> Fixes: CVE-2022-1050 >> >> Reported-by: Raven >> Signed-off-by: Yuval Shaia >> --- >> v1 -> v2: >> * Commit message changes >> v2 -> v3: >> * Exclude cosmetic changes >> --- >> hw/rdma/vmw/pvrdma_cmd.c | 6 ++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c >> index da7ddfa548..89db963c46 100644 >> --- a/hw/rdma/vmw/pvrdma_cmd.c >> +++ b/hw/rdma/vmw/pvrdma_cmd.c >> @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) >> >> dsr_info = >dsr_info; >> >> +if (!dsr_info->dsr) { >> +/* Buggy or malicious guest driver */ >> +rdma_error_report("Exec command without dsr, req or rsp >> buffers"); >> +goto out; >> +} >> + >> if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / >>sizeof(struct cmd_handler)) { >> rdma_error_report("Unsupported command"); >> -- >> 2.20.1 >> > > cc-ing Peter and Philippe for a question: > Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will > have to wait a week or so. > > Reviewed by: Marcel Apfelbaum > Thanks, > Marcel > Hi all, patch is reviewed, anything holding back the inclusion of this security fix? Thanks, Claudio
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Ping? This is from April this year, half a year ago. Can this be applied or? Marcel said it should wait a week or two, I think that's been done already.. ;) Thanks, /mjt 03.04.2022 12:52, Yuval Shaia wrote: Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 Reported-by: Raven Signed-off-by: Yuval Shaia --- v1 -> v2: * Commit message changes v2 -> v3: * Exclude cosmetic changes --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index da7ddfa548..89db963c46 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = >dsr_info; +if (!dsr_info->dsr) { +/* Buggy or malicious guest driver */ +rdma_error_report("Exec command without dsr, req or rsp buffers"); +goto out; +} + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command");
Re: [PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Hi Yuval, Thank you for the changes. On Sun, Apr 3, 2022 at 11:54 AM Yuval Shaia wrote: > > Guest driver might execute HW commands when shared buffers are not yet > allocated. > This could happen on purpose (malicious guest) or because of some other > guest/host address mapping error. > We need to protect againts such case. > > Fixes: CVE-2022-1050 > > Reported-by: Raven > Signed-off-by: Yuval Shaia > --- > v1 -> v2: > * Commit message changes > v2 -> v3: > * Exclude cosmetic changes > --- > hw/rdma/vmw/pvrdma_cmd.c | 6 ++ > 1 file changed, 6 insertions(+) > > diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c > index da7ddfa548..89db963c46 100644 > --- a/hw/rdma/vmw/pvrdma_cmd.c > +++ b/hw/rdma/vmw/pvrdma_cmd.c > @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) > > dsr_info = >dsr_info; > > +if (!dsr_info->dsr) { > +/* Buggy or malicious guest driver */ > +rdma_error_report("Exec command without dsr, req or rsp > buffers"); > +goto out; > +} > + > if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / >sizeof(struct cmd_handler)) { > rdma_error_report("Unsupported command"); > -- > 2.20.1 > cc-ing Peter and Philippe for a question: Do we have a "Security Fixes" or a "Misc" subtree? Otherwise it will have to wait a week or so. Reviewed by: Marcel Apfelbaum Thanks, Marcel
[PATCH v3] hw/pvrdma: Protect against buggy or malicious guest driver
Guest driver might execute HW commands when shared buffers are not yet allocated. This could happen on purpose (malicious guest) or because of some other guest/host address mapping error. We need to protect againts such case. Fixes: CVE-2022-1050 Reported-by: Raven Signed-off-by: Yuval Shaia --- v1 -> v2: * Commit message changes v2 -> v3: * Exclude cosmetic changes --- hw/rdma/vmw/pvrdma_cmd.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c index da7ddfa548..89db963c46 100644 --- a/hw/rdma/vmw/pvrdma_cmd.c +++ b/hw/rdma/vmw/pvrdma_cmd.c @@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev) dsr_info = >dsr_info; +if (!dsr_info->dsr) { +/* Buggy or malicious guest driver */ +rdma_error_report("Exec command without dsr, req or rsp buffers"); +goto out; +} + if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) / sizeof(struct cmd_handler)) { rdma_error_report("Unsupported command"); -- 2.20.1