hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.
Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 284f191b4a
)
Signed-off-by: Michael Roth <michael.roth@amd.com>
stable-6.0
parent
4787501893
commit
d25db58213
|
@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
length = ROUND_UP(length, TARGET_PAGE_SIZE);
|
||||
if (nchunks * TARGET_PAGE_SIZE != length) {
|
||||
rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
|
||||
(unsigned long)length);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
|
||||
if (!dir) {
|
||||
rdma_error_report("Failed to map to page directory");
|
||||
|
|
Loading…
Reference in New Issue