diff mbox series

[1/1] display/bochs: fix pcie support

Message ID 20190812065221.20907-2-kraxel@redhat.com
State New, archived
Headers show
Series display/bochs: fix pcie support (qemu security issue) | expand

Commit Message

Gerd Hoffmann Aug. 12, 2019, 6:52 a.m. UTC
Set QEMU_PCI_CAP_EXPRESS unconditionally in init(), then clear it in
realize() in case the device is not connected to a PCIe bus.

This makes sure the pci config space allocation is big enough, so
accessing the PCIe extended config space doesn't overflow the pci
config space buffer.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/display/bochs-display.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Alex Williamson Aug. 12, 2019, 12:59 p.m. UTC | #1
On Mon, 12 Aug 2019 08:52:21 +0200
Gerd Hoffmann <kraxel@redhat.com> wrote:

> Set QEMU_PCI_CAP_EXPRESS unconditionally in init(), then clear it in
> realize() in case the device is not connected to a PCIe bus.
> 
> This makes sure the pci config space allocation is big enough, so
> accessing the PCIe extended config space doesn't overflow the pci
> config space buffer.
> 
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>  hw/display/bochs-display.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)


Reviewed-by: Alex Williamson <alex.williamson@redhat.com>

 
> diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
> index 582133dd719c..8e83b5164b67 100644
> --- a/hw/display/bochs-display.c
> +++ b/hw/display/bochs-display.c
> @@ -297,9 +297,10 @@ static void bochs_display_realize(PCIDevice *dev, Error **errp)
>      }
>  
>      if (pci_bus_is_express(pci_get_bus(dev))) {
> -        dev->cap_present |= QEMU_PCI_CAP_EXPRESS;
>          ret = pcie_endpoint_cap_init(dev, 0x80);
>          assert(ret > 0);
> +    } else {
> +        dev->cap_present &= ~QEMU_PCI_CAP_EXPRESS;
>      }
>  
>      memory_region_set_log(&s->vram, true, DIRTY_MEMORY_VGA);
> @@ -322,11 +323,15 @@ static void bochs_display_set_big_endian_fb(Object *obj, bool value,
>  
>  static void bochs_display_init(Object *obj)
>  {
> +    PCIDevice *dev = PCI_DEVICE(obj);
> +
>      /* Expose framebuffer byteorder via QOM */
>      object_property_add_bool(obj, "big-endian-framebuffer",
>                               bochs_display_get_big_endian_fb,
>                               bochs_display_set_big_endian_fb,
>                               NULL);
> +
> +    dev->cap_present |= QEMU_PCI_CAP_EXPRESS;
>  }
>  
>  static void bochs_display_exit(PCIDevice *dev)
diff mbox series

Patch

diff --git a/hw/display/bochs-display.c b/hw/display/bochs-display.c
index 582133dd719c..8e83b5164b67 100644
--- a/hw/display/bochs-display.c
+++ b/hw/display/bochs-display.c
@@ -297,9 +297,10 @@  static void bochs_display_realize(PCIDevice *dev, Error **errp)
     }
 
     if (pci_bus_is_express(pci_get_bus(dev))) {
-        dev->cap_present |= QEMU_PCI_CAP_EXPRESS;
         ret = pcie_endpoint_cap_init(dev, 0x80);
         assert(ret > 0);
+    } else {
+        dev->cap_present &= ~QEMU_PCI_CAP_EXPRESS;
     }
 
     memory_region_set_log(&s->vram, true, DIRTY_MEMORY_VGA);
@@ -322,11 +323,15 @@  static void bochs_display_set_big_endian_fb(Object *obj, bool value,
 
 static void bochs_display_init(Object *obj)
 {
+    PCIDevice *dev = PCI_DEVICE(obj);
+
     /* Expose framebuffer byteorder via QOM */
     object_property_add_bool(obj, "big-endian-framebuffer",
                              bochs_display_get_big_endian_fb,
                              bochs_display_set_big_endian_fb,
                              NULL);
+
+    dev->cap_present |= QEMU_PCI_CAP_EXPRESS;
 }
 
 static void bochs_display_exit(PCIDevice *dev)