dm: fix fault Injection into VirtIO console backend

CVE# CVE-2021-23905 Add Null pointer check in init vq ring and add vq ring descriptor check in case cause Nullpointer exception. Tracked-On: #5355 Signed-off-by: Liu Long <long.liu@intel.com> Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Reviewed-by: Wang, Yu1 <yu1.wang@intel.com>
2021-07-02 12:03:06 +08:00 · 2021-07-02 12:03:06 +08:00 · 3348723805
parent e09ecb13eb
commit 3348723805
2 changed files with 14 additions and 1 deletions
--- a/devicemodel/hw/pci/virtio/virtio.c
+++ b/devicemodel/hw/pci/virtio/virtio.c
@ -332,18 +332,26 @@ virtio_vq_enable(struct virtio_base *base)
 	phys = (((uint64_t)vq->gpa_desc[1]) << 32) | vq->gpa_desc[0];
 	size = qsz * sizeof(struct vring_desc);
 	vb = paddr_guest2host(base->dev->vmctx, phys, size);
+	if (!vb)
+		goto error;
+
 	vq->desc = (struct vring_desc *)vb;

 	/* available ring */
 	phys = (((uint64_t)vq->gpa_avail[1]) << 32) | vq->gpa_avail[0];
 	size = (2 + qsz + 1) * sizeof(uint16_t);
 	vb = paddr_guest2host(base->dev->vmctx, phys, size);
+	if (!vb)
+		goto error;
+
 	vq->avail = (struct vring_avail *)vb;

 	/* used ring */
 	phys = (((uint64_t)vq->gpa_used[1]) << 32) | vq->gpa_used[0];
 	size = sizeof(uint16_t) * 3 + sizeof(struct vring_used_elem) * qsz;
 	vb = paddr_guest2host(base->dev->vmctx, phys, size);
+	if (!vb)
+		goto error;
 	vq->used = (struct vring_used *)vb;

 	/* Mark queue as allocated, and start at 0 when we use it. */
@ -353,6 +361,9 @@ virtio_vq_enable(struct virtio_base *base)

 	/* Mark queue as enabled. */
 	vq->enabled = true;
+
+error:
+	vq->flags = 0;
 }

 /*
--- a/devicemodel/hw/pci/virtio/virtio_console.c
+++ b/devicemodel/hw/pci/virtio/virtio_console.c
@ -405,7 +405,9 @@ virtio_console_notify_rx(void *vdev, struct virtio_vq_info *vq)

 	if (!port->rx_ready) {
 		port->rx_ready = 1;
-		vq->used->flags |= VRING_USED_F_NO_NOTIFY;
+		if (vq_has_descs(vq)) {
+			vq->used->flags |= VRING_USED_F_NO_NOTIFY;
+		}
 	}
 }