hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
Ensure mremap boundaries not trusting the guest kernel to pass the correct buffer length. Fixes: CVE-2021-3582 Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com> Signed-off-by: Marcel Apfelbaum <marcel@redhat.com> Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com> Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com> Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
284f191b · Marcel Apfelbaum · Marcel Apfelbaum · 9c2647f7 · 284f191b
Commit 284f191b authored 3 years ago by Marcel Apfelbaum Committed by Marcel Apfelbaum 3 years ago
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
        return NULL;
    }

+    length = ROUND_UP(length, TARGET_PAGE_SIZE);
+    if (nchunks * TARGET_PAGE_SIZE != length) {
+        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+                          (unsigned long)length);
+        return NULL;
+    }
+
    dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
    if (!dir) {
        rdma_error_report("Failed to map to page directory");