From: Marcel Apfelbaum <marcel@redhat.com>
Date: Wed, 16 Jun 2021 11:06:00 +0000 (+0300)
Subject: hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)
X-Git-Tag: upstream/4.2.1~47
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=2db4dd1d5f436bbd7485c46b3fd0b077616ef7d2;p=tools%2Fqemu-arm-static.git

hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Git-commit: 284f191b4abad213aed04cb0458e1600fd18d7c4
References: CVE-2021-3582 bsc#1187499

Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.

Fixes: CVE-2021-3582
Reported-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Tested-by: VictorV (Kunlun Lab) <vv474172261@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel@redhat.com>
Message-Id: <20210616110600.20889-1-marcel.apfelbaum@gmail.com>
Reviewed-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Reviewed-by: Prasad J Pandit <pjp@fedoraproject.org>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
---

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 692125ac2..1df0b256f 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
         return NULL;
     }
 
+    length = ROUND_UP(length, TARGET_PAGE_SIZE);
+    if (nchunks * TARGET_PAGE_SIZE != length) {
+        rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
+                          (unsigned long)length);
+        return NULL;
+    }
+
     dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
     if (!dir) {
         rdma_error_report("Failed to map to page directory");