| Message ID | 20231026070636.1165037-3-clg@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | vfio/pci: Fix buffer overrun when writing the VF token | expand |
On Thu, 26 Oct 2023 at 08:08, Cédric Le Goater <clg@redhat.com> wrote: > > qemu_uuid_unparse() includes a trailing NUL when writing the uuid > string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the > recently added UUID_STR_LEN which defines the correct size. > > Fixes: CID 1522913 > Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") > Cc: Alex Williamson <alex.williamson@redhat.com> > Reviewed-by: Alex Williamson <alex.williamson@redhat.com> > Reviewed-by: Juan Quintela <quintela@redhat.com> > Signed-off-by: Cédric Le Goater <clg@redhat.com> > --- > hw/vfio/pci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c > index 9bfa83aca1a87952e18743c9ca951b1bfc873507..c02a5d70f5e1b8e4d22051285748f514f1b9f008 100644 > --- a/hw/vfio/pci.c > +++ b/hw/vfio/pci.c > @@ -3274,7 +3274,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) > Error *err = NULL; > int i, ret; > bool is_mdev; > - char uuid[UUID_FMT_LEN]; > + char uuid[UUID_STR_LEN]; > char *name; > > if (vbasedev->fd < 0 && !vbasedev->sysfsdev) { This patch (and its dependency) should probably be cc qemu-stable ? thanks -- PMM
On 10/26/23 13:28, Peter Maydell wrote: > On Thu, 26 Oct 2023 at 08:08, Cédric Le Goater <clg@redhat.com> wrote: >> >> qemu_uuid_unparse() includes a trailing NUL when writing the uuid >> string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the >> recently added UUID_STR_LEN which defines the correct size. >> >> Fixes: CID 1522913 >> Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") >> Cc: Alex Williamson <alex.williamson@redhat.com> >> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> >> Reviewed-by: Juan Quintela <quintela@redhat.com> >> Signed-off-by: Cédric Le Goater <clg@redhat.com> >> --- >> hw/vfio/pci.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c >> index 9bfa83aca1a87952e18743c9ca951b1bfc873507..c02a5d70f5e1b8e4d22051285748f514f1b9f008 100644 >> --- a/hw/vfio/pci.c >> +++ b/hw/vfio/pci.c >> @@ -3274,7 +3274,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) >> Error *err = NULL; >> int i, ret; >> bool is_mdev; >> - char uuid[UUID_FMT_LEN]; >> + char uuid[UUID_STR_LEN]; >> char *name; >> >> if (vbasedev->fd < 0 && !vbasedev->sysfsdev) { > > This patch (and its dependency) should probably be cc qemu-stable ? yes. 8.1 is impacted. I was waiting for some feedback. Thanks, C.
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index 9bfa83aca1a87952e18743c9ca951b1bfc873507..c02a5d70f5e1b8e4d22051285748f514f1b9f008 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -3274,7 +3274,7 @@ static void vfio_realize(PCIDevice *pdev, Error **errp) Error *err = NULL; int i, ret; bool is_mdev; - char uuid[UUID_FMT_LEN]; + char uuid[UUID_STR_LEN]; char *name; if (vbasedev->fd < 0 && !vbasedev->sysfsdev) {
qemu_uuid_unparse() includes a trailing NUL when writing the uuid string and the buffer size should be UUID_FMT_LEN + 1 bytes. Use the recently added UUID_STR_LEN which defines the correct size. Fixes: CID 1522913 Fixes: 2dca1b37a760 ("vfio/pci: add support for VF token") Cc: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Alex Williamson <alex.williamson@redhat.com> Reviewed-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Cédric Le Goater <clg@redhat.com> --- hw/vfio/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)