Check the guest passed a non zero page count
for pvrdma device ring buffers.
Fixes: CVE-2021-3607
Reported-by: VictorV (Kunlun Lab) <vv474172...@gmail.com>
Reviewed-by: VictorV (Kunlun Lab) <vv474172...@gmail.com>
Signed-off-by: Marcel Apfelbaum <mar...@redhat.com>
Message-Id: <20210630114634.2168872-1-mar...@redhat.com>
Reviewed-by: Yuval Shaia <yuval.shaia...@gmail.com>
Tested-by: Yuval Shaia <yuval.shaia...@gmail.com>
Signed-off-by: Marcel Apfelbaum <marcel.apfelb...@gmail.com>
---
hw/rdma/vmw/pvrdma_main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/hw/rdma/vmw/pvrdma_main.c b/hw/rdma/vmw/pvrdma_main.c
index 84ae8024fc..7c0c3551a8 100644
--- a/hw/rdma/vmw/pvrdma_main.c
+++ b/hw/rdma/vmw/pvrdma_main.c
@@ -92,6 +92,11 @@ static int init_dev_ring(PvrdmaRing *ring, PvrdmaRingState
**ring_state,
uint64_t *dir, *tbl;
int rc = 0;
+ if (!num_pages) {
+ rdma_error_report("Ring pages count must be strictly positive");
+ return -EINVAL;
+ }
+
dir = rdma_pci_dma_map(pci_dev, dir_addr, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory (ring %s)", name);
--
2.17.2
