qemu/hw
Yuval Shaia 06c9bf032f hw/pvrdma: Protect against buggy or malicious guest driver
Guest driver allocates and initialize page tables to be used as a ring
of descriptors for CQ and async events.
The page table that represents the ring, along with the number of pages
in the page table is passed to the device.
Currently our device supports only one page table for a ring.

Let's make sure that the number of page table entries the driver
reports, do not exceeds the one page table size.

Reported-by: Soul Chen <soulchen8650@gmail.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>
Fixes: CVE-2023-1544
Message-ID: <20230301142926.18686-1-yuval.shaia.ml@gmail.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
(cherry picked from commit 85fc35afa9)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2023-10-21 14:05:14 +03:00
..
9pfs hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
acpi acpi: pcihp: allow repeating hot-unplug requests 2023-05-18 21:09:41 +03:00
adc hw/adc: Make adci[*] R/W in NPCM7XX ADC 2022-07-18 13:20:14 +01:00
alpha hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
arm hw/arm/smmu: Handle big-endian hosts correctly 2023-07-31 09:12:06 +03:00
audio hw/audio/es1370: reset current sample counter 2023-10-21 14:05:14 +03:00
avr
block hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
char hw/char/riscv_htif: Fix printing of console characters on big endian hosts 2023-09-13 12:21:22 +03:00
core machine: Add helpers to get cores/threads per socket 2023-09-11 10:53:50 +03:00
cpu
cris
cxl hw/cxl: Fix CFMW config memory leak 2023-09-25 23:43:49 +03:00
display hw/display/ramfb: plug slight guest-triggerable leak on mode setting 2023-10-05 08:44:37 +03:00
dma hw/dma/xilinx_axidma: Check DMASR.HALTED to prevent infinite loop. 2023-05-31 09:43:56 +03:00
gpio hw/gpio/meson: Introduce dedicated config switch for hw/gpio/mpc8xxx 2022-10-17 16:15:09 -03:00
hppa target/hppa: Provide qemu version via fw_cfg to firmware 2023-06-26 19:35:29 +03:00
hyperv hw/hyperv/hyperv.c: Use device_cold_reset() instead of device_legacy_reset() 2022-10-27 10:27:23 +01:00
i2c hw/i2c/aspeed: Fix TXBUF transmission start position error 2023-09-11 10:53:51 +03:00
i386 amd_iommu: Fix APIC address check 2023-10-21 14:05:14 +03:00
ide hw/ide/ahci: fix broken SError handling 2023-09-11 10:53:51 +03:00
input pckbd: remove legacy i8042_mm_init() function 2022-07-18 19:28:46 +01:00
intc hw/intc: Make rtc variable names consistent 2023-09-13 12:21:22 +03:00
ipack
ipmi ipmi:smbus: Add a check around a memcpy 2022-08-01 06:40:50 -05:00
isa acpi: x86: move RPQx field back to _SB scope 2022-11-22 05:19:00 -05:00
loongarch Revert "hw/loongarch/virt: Add cfi01 pflash device" 2022-12-05 11:24:35 -05:00
m68k m68k/q800: do not re-randomize RNG seed on snapshot load 2022-10-27 11:34:31 +01:00
mem hw/mem/cxl-type3: Add CXL CDAT Data Object Exchange 2022-11-07 13:12:19 -05:00
microblaze hw/microblaze: pass random seed to fdt 2022-09-21 19:59:56 +02:00
mips kvm: Introduce kvm_arch_get_default_type hook 2023-09-11 10:53:50 +03:00
misc bcm2835_property: disable reentrancy detection for iomem 2023-09-11 10:53:50 +03:00
net hw/net/vmxnet3: Fix guest-triggerable assert() 2023-09-11 10:53:51 +03:00
nios2 hw/nios2: set machine->fdt in nios2_load_dtb() 2022-10-17 16:15:10 -03:00
nubus
nvme hw/nvme: fix CRC64 for guard tag 2023-09-11 10:53:50 +03:00
nvram Revert "x86: return modified setup_data only if read as memory, not as file" 2023-03-29 10:20:04 +03:00
openrisc openrisc: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
pci pci: do not respond config requests after PCI device eject 2023-08-04 07:37:06 +03:00
pci-bridge hw/pci-bridge/cxl-upstream: Add a CDAT table access DOE 2022-11-07 13:12:19 -05:00
pci-host raven: disable reentrancy detection for iomem 2023-09-11 10:53:50 +03:00
pcmcia
ppc hw/ppc: Always store the decrementer value 2023-09-25 23:43:49 +03:00
rdma hw/pvrdma: Protect against buggy or malicious guest driver 2023-10-21 14:05:14 +03:00
remote hw/remote: Fix vfu_cfg trace offset format 2023-06-11 11:02:28 +03:00
riscv hw/riscv: virt: Fix riscv,pmu DT node path 2023-09-13 12:21:22 +03:00
rtc goldfish_rtc: Add big-endian property 2022-09-04 07:02:56 +01:00
rx rx: re-randomize rng-seed on reboot 2022-10-27 11:34:31 +01:00
s390x s390x/ap: fix missing subsystem reset registration 2023-09-13 21:57:05 +03:00
scsi scsi-disk: ensure that FORMAT UNIT commands are terminated 2023-10-03 18:25:00 +03:00
sd hw/sd/allwinner-sdhost: Correctly byteswap descriptor fields 2023-05-18 21:09:59 +03:00
sensor hw/sensor: Add Renesas ISL69259 device model 2022-07-14 16:24:38 +02:00
sh4
smbios hw/smbios: Fix core count in type4 2023-09-11 10:53:50 +03:00
sparc machine: make memory-backend a link property 2022-05-12 12:29:44 +02:00
sparc64 hw: Remove unused MAX_IDE_BUS define 2022-10-31 11:32:07 +01:00
ssi aspeed/smc: Cache AspeedSMCClass 2022-10-24 11:20:15 +02:00
timer hw/timer/nrf51_timer: Don't lose time when timer is queried in tight loop 2023-06-22 10:38:38 +03:00
tpm hw/tpm: TIS on sysbus: Remove unsupport ppi command line option 2023-09-13 12:21:22 +03:00
tricore
usb hw: replace most qemu_bh_new calls with qemu_bh_new_guarded 2023-09-11 10:53:50 +03:00
vfio vfio/pci: Disable INTx in vfio_realize error path 2023-08-05 08:39:54 +03:00
virtio virtio: Drop out of coroutine context in virtio_load() 2023-09-13 12:21:22 +03:00
watchdog watchdog: remove -watchdog option 2022-09-29 11:40:28 +02:00
xen xen/pt: reserve PCI slot 2 for Intel igd-passthru 2023-05-18 21:09:59 +03:00
xenpv Warn user if the vga flag is passed but no vga device is created 2022-05-09 08:21:14 +02:00
xtensa hw/xtensa: fix reset value of MIROUT register of MX PIC 2022-05-06 15:27:40 -07:00
Kconfig hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00
meson.build hw/loongarch: Add support loongson3 virt machine type. 2022-06-06 18:09:03 +00:00