From d8da2eaa570faf59a8a7ee49a3fc08c4c8c41530 Mon Sep 17 00:00:00 2001
From: liuxiangdong <liuxiangdong5@huawei.com>
Date: Fri, 12 May 2023 16:34:35 +0800
Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
 (CVE-2022-1050)

Fix CVE-2022-1050

Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
---
 ...t-against-buggy-or-malicious-guest-d.patch | 42 +++++++++++++++++++
 qemu.spec                                     |  6 ++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch

diff --git a/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
new file mode 100644
index 00000000..33422dc4
--- /dev/null
+++ b/hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
@@ -0,0 +1,42 @@
+From 16bea8df3ea108990e1cd9729cf7c141a9852dee Mon Sep 17 00:00:00 2001
+From: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Date: Sun, 3 Apr 2022 12:52:34 +0300
+Subject: [PATCH] hw/pvrdma: Protect against buggy or malicious guest driver
+
+Guest driver might execute HW commands when shared buffers are not yet
+allocated.
+This could happen on purpose (malicious guest) or because of some other
+guest/host address mapping error.
+We need to protect againts such case.
+
+Fixes: CVE-2022-1050
+
+Reported-by: Raven <wxhusst@gmail.com>
+Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
+Message-Id: <20220403095234.2210-1-yuval.shaia.ml@gmail.com>
+Signed-off-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: liuxiangdong <liuxiangdong5@huawei.com>
+---
+ hw/rdma/vmw/pvrdma_cmd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/hw/rdma/vmw/pvrdma_cmd.c b/hw/rdma/vmw/pvrdma_cmd.c
+index dca8f36693..99be9657e3 100644
+--- a/hw/rdma/vmw/pvrdma_cmd.c
++++ b/hw/rdma/vmw/pvrdma_cmd.c
+@@ -797,6 +797,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
+ 
+     dsr_info = &dev->dsr_info;
+ 
++    if (!dsr_info->dsr) {
++            /* Buggy or malicious guest driver */
++            rdma_error_report("Exec command without dsr, req or rsp buffers");
++            goto out;
++    }
++
+     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
+                       sizeof(struct cmd_handler)) {
+         rdma_error_report("Unsupported command");
+-- 
+2.36.1
+
diff --git a/qemu.spec b/qemu.spec
index 12da51ab..907f9215 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -1,6 +1,6 @@
 Name: qemu
 Version: 4.1.0
-Release: 76
+Release: 77
 Epoch: 10
 Summary: QEMU is a generic and open source machine emulator and virtualizer
 License: GPLv2 and BSD and MIT and CC-BY-SA-4.0
@@ -382,6 +382,7 @@ Patch0369: hw-display-qxl-Document-qxl_phys2virt.patch
 Patch0370: hw-display-qxl-Pass-requested-buffer-size-to-qxl_phy.patch
 Patch0371: hw-display-qxl-Avoid-buffer-overrun-in-qxl_phys2virt.patch
 Patch0372: hw-display-qxl-Assert-memory-slot-fits-in-preallocat.patch
+Patch0373: hw-pvrdma-Protect-against-buggy-or-malicious-guest-d.patch
 
 BuildRequires: flex
 BuildRequires: bison
@@ -782,6 +783,9 @@ getent passwd qemu >/dev/null || \
 %endif
 
 %changelog
+* Thu May 18 2023 liuxiangdong <liuxiangdong5@huawei.com>
+- hw/pvrdma: Protect against buggy or malicious guest driver (CVE-2022-1050)
+
 * Mon Dec 05 2022 yezengruan <yezengruan@huawei.com>
 - fix CVE-2022-4144
 
-- 
Gitee