hw/pvrdma: Protect against buggy or malicious guest driver

Guest driver might execute HW commands when shared buffers are not yet
allocated.
This might happen on purpose (malicious guest) or because some other
guest/host address mapping.
We need to protect againts such case.

Reported-by: Mauro Matteo Cascella <mcascell@redhat.com>
Signed-off-by: Yuval Shaia <yuval.shaia.ml@gmail.com>

CVE: CVE-2022-1050
Upstream-Status: Submitted [https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html]

Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
===================================================================
--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_cmd.c
+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_cmd.c
@@ -796,6 +796,12 @@ int pvrdma_exec_cmd(PVRDMADev *dev)
 
     dsr_info = &dev->dsr_info;
 
+    if (!dsr_info->dsr) {
+            /* Buggy or malicious guest driver */
+            rdma_error_report("Exec command without dsr, req or rsp buffers");
+            goto out;
+    }
+
     if (dsr_info->req->hdr.cmd >= sizeof(cmd_handlers) /
                       sizeof(struct cmd_handler)) {
         rdma_error_report("Unsupported command");
Index: qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
===================================================================
--- qemu-6.2.0.orig/hw/rdma/vmw/pvrdma_main.c
+++ qemu-6.2.0/hw/rdma/vmw/pvrdma_main.c
@@ -249,7 +249,8 @@ static void init_dsr_dev_caps(PVRDMADev
 {
     struct pvrdma_device_shared_region *dsr;
 
-    if (dev->dsr_info.dsr == NULL) {
+    if (!dev->dsr_info.dsr) {
+        /* Buggy or malicious guest driver */
         rdma_error_report("Can't initialized DSR");
         return;
     }