From 32e5703cfea07c91e6e84bcb0313f633bb146534 Mon Sep 17 00:00:00 2001 From: Marcel Apfelbaum Date: Wed, 30 Jun 2021 14:46:34 +0300 Subject: pvrdma: Ensure correct input on ring init (CVE-2021-3607) Check the guest passed a non zero page count for pvrdma device ring buffers. Fixes: CVE-2021-3607 Reported-by: VictorV (Kunlun Lab) Reviewed-by: VictorV (Kunlun Lab) Signed-off-by: Marcel Apfelbaum Message-Id: <20210630114634.2168872-1-marcel@redhat.com> Reviewed-by: Yuval Shaia Tested-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum --- hw/rdma/vmw/pvrdma_main.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c index 84ae8024fc..7c0c3551a8 100644 --- a/hw/rdma/vmw/pvrdma_main.c +++ b/hw/rdma/vmw/pvrdma_main.c @@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState **ring_state, uint64_t *dir, *tbl; int rc = 0; + if (!num_pages) { + rdma_error_report("Ring pages count must be strictly positive"); + return -EINVAL; + } + dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE); if (!dir) { rdma_error_report("Failed to map to page directory (ring %s)", name); -- cgit v1.2.3