| Message ID | 20240228-reuse-v8-2-282660281e60@daynix.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | hw/pci: SR-IOV related fixes and improvements | expand |
> -----Original Message----- > From: Akihiko Odaki <akihiko.odaki@daynix.com> > Sent: Wednesday, 28 February 2024 12:33 > To: Philippe Mathieu-Daudé <philmd@linaro.org>; Michael S. Tsirkin > <mst@redhat.com>; Marcel Apfelbaum <marcel.apfelbaum@gmail.com>; > Alex Williamson <alex.williamson@redhat.com>; Cédric Le Goater > <clg@redhat.com>; Paolo Bonzini <pbonzini@redhat.com>; Daniel P. > Berrangé <berrange@redhat.com>; Eduardo Habkost > <eduardo@habkost.net>; Sriram Yagnaraman > <sriram.yagnaraman@ericsson.com>; Jason Wang <jasowang@redhat.com>; > Keith Busch <kbusch@kernel.org>; Klaus Jensen <its@irrelevant.dk>; Markus > Armbruster <armbru@redhat.com> > Cc: qemu-devel@nongnu.org; qemu-block@nongnu.org; Akihiko Odaki > <akihiko.odaki@daynix.com>; qemu-stable@nongnu.org > Subject: [PATCH v8 02/15] pcie_sriov: Validate NumVFs > > The guest may write NumVFs greater than TotalVFs and that can lead to buffer > overflow in VF implementations. > > Cc: qemu-stable@nongnu.org > Fixes: CVE-2024-26327 > Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization > (SR/IOV)") > Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> > --- > hw/pci/pcie_sriov.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c index > a1fe65f5d801..da209b7f47fd 100644 > --- a/hw/pci/pcie_sriov.c > +++ b/hw/pci/pcie_sriov.c > @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) > > assert(sriov_cap > 0); > num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF); > + if (num_vfs > pci_get_word(dev->config + sriov_cap + > PCI_SRIOV_TOTAL_VF)) { > + return; > + } > > dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs); > > > -- > 2.43.2 Assuming change of my mail address from sriram.yagnaraman@est.tech to @ericsson.com is accepted, Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c index a1fe65f5d801..da209b7f47fd 100644 --- a/hw/pci/pcie_sriov.c +++ b/hw/pci/pcie_sriov.c @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) assert(sriov_cap > 0); num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF); + if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) { + return; + } dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
The guest may write NumVFs greater than TotalVFs and that can lead to buffer overflow in VF implementations. Cc: qemu-stable@nongnu.org Fixes: CVE-2024-26327 Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> --- hw/pci/pcie_sriov.c | 3 +++ 1 file changed, 3 insertions(+)