qemu/0050-pvrdma-check-number-of-pages-when-c.patch

From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Thu, 13 Dec 2018 01:00:36 +0530
Subject: pvrdma: check number of pages when creating rings

When creating CQ/QP rings, an object can have up to
PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter
to avoid excessive memory allocation or a null dereference.

Reported-by: Li Qiang <liq3ea@163.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41)
[BR: BSC#1119989 CVE-2018-20125]
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
 hw/rdma/vmw/pvrdma_cmd.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
index 4faeb21631..ce2514aacb 100644
--- a/hw/rdma/vmw/pvrdma_cmd.c
+++ b/hw/rdma/vmw/pvrdma_cmd.c
@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice *pci_dev , PvrdmaRing **ring,
     int rc = -EINVAL;
     char ring_name[MAX_RING_NAME_SZ];
 
+    if (!nchunks || nchunks > PVRDMA_MAX_FAST_REG_PAGES) {
+        pr_dbg("invalid nchunks: %d\n", nchunks);
+        return rc;
+    }
+
     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
     if (!dir) {
@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,
     char ring_name[MAX_RING_NAME_SZ];
     uint32_t wqe_sz;
 
+    if (!spages || spages > PVRDMA_MAX_FAST_REG_PAGES
+        || !rpages || rpages > PVRDMA_MAX_FAST_REG_PAGES) {
+        pr_dbg("invalid pages: %d, %d\n", spages, rpages);
+        return rc;
+    }
+
     pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);
     dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);
     if (!dir) {
Accepting request 664459 from home:bfrogers:branches:Virtualization Include security fixes and other recent "stable" fixes OBS-URL: https://build.opensuse.org/request/show/664459 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=445 2019-01-10 22:10:49 +01:00			`From: Prasad J Pandit <pjp@fedoraproject.org>`
			`Date: Thu, 13 Dec 2018 01:00:36 +0530`
			`Subject: pvrdma: check number of pages when creating rings`

			`When creating CQ/QP rings, an object can have up to`
			`PVRDMA_MAX_FAST_REG_PAGES 8 pages. Check 'npages' parameter`
			`to avoid excessive memory allocation or a null dereference.`

			`Reported-by: Li Qiang <liq3ea@163.com>`
			`Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>`
			`Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>`
			`Signed-off-by: Marcel Apfelbaum <marcel.apfelbaum@gmail.com>`
			`(cherry picked from commit 2c858ce5da8ae6689c75182b73bc455a291cad41)`
			`[BR: BSC#1119989 CVE-2018-20125]`
			`Signed-off-by: Bruce Rogers <brogers@suse.com>`
			`---`
			`hw/rdma/vmw/pvrdma_cmd.c \| 11 +++++++++++`
			`1 file changed, 11 insertions(+)`

			`diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c`
			`index 4faeb21631..ce2514aacb 100644`
			`--- a/hw/rdma/vmw/pvrdma_cmd.c`
			`+++ b/hw/rdma/vmw/pvrdma_cmd.c`
			`@@ -261,6 +261,11 @@ static int create_cq_ring(PCIDevice pci_dev , PvrdmaRing *ring,`
			`int rc = -EINVAL;`
			`char ring_name[MAX_RING_NAME_SZ];`

			`+ if (!nchunks \|\| nchunks > PVRDMA_MAX_FAST_REG_PAGES) {`
			`+ pr_dbg("invalid nchunks: %d\n", nchunks);`
			`+ return rc;`
			`+ }`
			`+`
			`pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);`
			`dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);`
			`if (!dir) {`
			`@@ -377,6 +382,12 @@ static int create_qp_rings(PCIDevice *pci_dev, uint64_t pdir_dma,`
			`char ring_name[MAX_RING_NAME_SZ];`
			`uint32_t wqe_sz;`

			`+ if (!spages \|\| spages > PVRDMA_MAX_FAST_REG_PAGES`
			`+ \|\| !rpages \|\| rpages > PVRDMA_MAX_FAST_REG_PAGES) {`
			`+ pr_dbg("invalid pages: %d, %d\n", spages, rpages);`
			`+ return rc;`
			`+ }`
			`+`
			`pr_dbg("pdir_dma=0x%llx\n", (long long unsigned int)pdir_dma);`
			`dir = rdma_pci_dma_map(pci_dev, pdir_dma, TARGET_PAGE_SIZE);`
			`if (!dir) {`