From: Prasad J Pandit Date: Thu, 13 Dec 2018 01:00:34 +0530 Subject: rdma: check num_sge does not exceed MAX_SGE rdma back-end has scatter/gather array ibv_sge[MAX_SGE=4] set to have 4 elements. A guest could send a 'PvrdmaSqWqe' ring element with 'num_sge' set to > MAX_SGE, which may lead to OOB access issue. Add check to avoid it. Reported-by: Saar Amar Signed-off-by: Prasad J Pandit Reviewed-by: Yuval Shaia Signed-off-by: Marcel Apfelbaum (cherry picked from commit 0e68373cc2b3a063ce067bc0cc3edaf370752890) [BR: BSC#1119840 CVE-2018-20124, modified complete_work() calls to be comp_handler()] Signed-off-by: Bruce Rogers --- hw/rdma/rdma_backend.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hw/rdma/rdma_backend.c b/hw/rdma/rdma_backend.c index d7a4bbd91f..0b3b98a94c 100644 --- a/hw/rdma/rdma_backend.c +++ b/hw/rdma/rdma_backend.c @@ -311,8 +311,8 @@ void rdma_backend_post_send(RdmaBackendDev *backend_dev, } pr_dbg("num_sge=%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=0\n"); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=%d\n", num_sge); comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); return; } @@ -390,8 +390,8 @@ void rdma_backend_post_recv(RdmaBackendDev *backend_dev, } pr_dbg("num_sge=%d\n", num_sge); - if (!num_sge) { - pr_dbg("num_sge=0\n"); + if (!num_sge || num_sge > MAX_SGE) { + pr_dbg("invalid num_sge=%d\n", num_sge); comp_handler(IBV_WC_GENERAL_ERR, VENDOR_ERR_NO_SGE, ctx); return; }