Commit 284f191b authored by Marcel Apfelbaum's avatar Marcel Apfelbaum Committed by Marcel Apfelbaum
Browse files

hw/rdma: Fix possible mremap overflow in the pvrdma device (CVE-2021-3582)

Ensure mremap boundaries not trusting the guest kernel to
pass the correct buffer length.

Fixes: CVE-2021-3582
Reported-by: Tom Victor's avatarVictorV (Kunlun Lab) <>
Tested-by: Tom Victor's avatarVictorV (Kunlun Lab) <>
Signed-off-by: default avatarMarcel Apfelbaum <>
Message-Id: <>
Reviewed-by: default avatarYuval Shaia <>
Tested-by: default avatarYuval Shaia <>
Reviewed-by: default avatarPrasad J Pandit <>
Signed-off-by: default avatarMarcel Apfelbaum <>
parent 9c2647f7
......@@ -38,6 +38,13 @@ static void *pvrdma_map_to_pdir(PCIDevice *pdev, uint64_t pdir_dma,
return NULL;
length = ROUND_UP(length, TARGET_PAGE_SIZE);
if (nchunks * TARGET_PAGE_SIZE != length) {
rdma_error_report("Invalid nchunks/length (%u, %lu)", nchunks,
(unsigned long)length);
return NULL;
dir = rdma_pci_dma_map(pdev, pdir_dma, TARGET_PAGE_SIZE);
if (!dir) {
rdma_error_report("Failed to map to page directory");
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment