[PATCH v2 2/2] pci: ensure configuration access is within bounds

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 2/2] pci: ensure configuration access is within bounds

From:	P J P
Subject:	[PATCH v2 2/2] pci: ensure configuration access is within bounds
Date:	Thu, 4 Jun 2020 01:52:51 +0530

From: Prasad J Pandit <pjp@fedoraproject.org>

While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Assert that 'address + len' is within
PCI configuration space.

Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
---
 hw/pci/pci.c | 2 ++
 1 file changed, 2 insertions(+)

Update v2: assert PCI configuration access is within bounds
  -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html

diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 70c66965f5..173bec4fd5 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
 {
     uint32_t val = 0;
 
+    assert(address + len <= pci_config_size(d));
+
     if (pci_is_express_downstream_port(d) &&
         ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
         pcie_sync_bridge_lnk(d);
-- 
2.26.2

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v2 0/2] Ensure PCI configuration access is within bounds, P J P, 2020/06/03
- [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, P J P, 2020/06/03
  - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, BALATON Zoltan, 2020/06/03
  - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, Daniel P . Berrangé, 2020/06/04
    - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, P J P, 2020/06/04
    - Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes, Michael S. Tsirkin, 2020/06/04
- [PATCH v2 2/2] pci: ensure configuration access is within bounds, P J P <=
  - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, BALATON Zoltan, 2020/06/03
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Gerd Hoffmann, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, P J P, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Philippe Mathieu-Daudé, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, BALATON Zoltan, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, BALATON Zoltan, 2020/06/04
    - Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds, Michael S. Tsirkin, 2020/06/04

Prev by Date: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Next by Date: Re: [PATCH v2] ati-vga: check mm_index before recursive call
Previous by thread: Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Next by thread: Re: [PATCH v2 2/2] pci: ensure configuration access is within bounds
Index(es):
- Date
- Thread