[PULL 43/68] pcie_sriov: Validate NumVFs

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 43/68] pcie_sriov: Validate NumVFs

From:	Michael S. Tsirkin
Subject:	[PULL 43/68] pcie_sriov: Validate NumVFs
Date:	Tue, 12 Mar 2024 18:27:45 -0400

From: Akihiko Odaki <akihiko.odaki@daynix.com>

The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization 
(SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
---
 hw/pci/pcie_sriov.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index a1fe65f5d8..da209b7f47 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
 
     assert(sriov_cap > 0);
     num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+        return;
+    }
 
     dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
 
-- 
MST

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 32/68] hw/virtio: Add support for VDPA network simulation devices, (continued)
- [PULL 32/68] hw/virtio: Add support for VDPA network simulation devices, Michael S. Tsirkin, 2024/03/12
- [PULL 34/68] hw/display/macfb: Fix missing ERRP_GUARD() in macfb_nubus_realize(), Michael S. Tsirkin, 2024/03/12
- [PULL 35/68] hw/mem/cxl_type3: Fix missing ERRP_GUARD() in ct3_realize(), Michael S. Tsirkin, 2024/03/12
- [PULL 37/68] hw/pci-bridge/cxl_upstream: Fix missing ERRP_GUARD() in cxl_usp_realize(), Michael S. Tsirkin, 2024/03/12
- [PULL 42/68] hw/nvme: Use pcie_sriov_num_vfs(), Michael S. Tsirkin, 2024/03/12
- [PULL 36/68] hw/misc/xlnx-versal-trng: Check returned bool in trng_prop_fault_event_set(), Michael S. Tsirkin, 2024/03/12
- [PULL 38/68] hw/vfio/iommufd: Fix missing ERRP_GUARD() in iommufd_cdev_getfd(), Michael S. Tsirkin, 2024/03/12
- [PULL 39/68] hw/intc: Check @errp to handle the error of IOAPICCommonClass.realize(), Michael S. Tsirkin, 2024/03/12
- [PULL 40/68] Implement base of SMBIOS type 9 descriptor., Michael S. Tsirkin, 2024/03/12
- [PULL 41/68] Implement SMBIOS type 9 v2.6, Michael S. Tsirkin, 2024/03/12
- [PULL 43/68] pcie_sriov: Validate NumVFs, Michael S. Tsirkin <=
- [PULL 48/68] Revert "hw/i386/pc_sysfw: Inline pc_system_flash_create() and remove it", Michael S. Tsirkin, 2024/03/12
- [PULL 44/68] pcie_sriov: Reset SR-IOV extended capability, Michael S. Tsirkin, 2024/03/12
- [PULL 53/68] hw/i386/pc: Inline pc_cmos_init() into pc_cmos_init_late() and remove it, Michael S. Tsirkin, 2024/03/12
- [PULL 51/68] hw/i386/pc: Avoid one use of the current_machine global, Michael S. Tsirkin, 2024/03/12
- [PULL 46/68] hw/pci: Always call pcie_sriov_pf_reset(), Michael S. Tsirkin, 2024/03/12
- [PULL 45/68] pcie_sriov: Do not reset NumVFs after disabling VFs, Michael S. Tsirkin, 2024/03/12
- [PULL 47/68] pc: q35: Bump max_cpus to 4096 vcpus, Michael S. Tsirkin, 2024/03/12
- [PULL 49/68] Revert "hw/i386/pc: Confine system flash handling to pc_sysfw", Michael S. Tsirkin, 2024/03/12
- [PULL 50/68] hw/i386/pc: Remove "rtc_state" link again, Michael S. Tsirkin, 2024/03/12
- [PULL 52/68] hw/i386/pc: Set "normal" boot device order in pc_basic_device_init(), Michael S. Tsirkin, 2024/03/12

Prev by Date: [PULL 41/68] Implement SMBIOS type 9 v2.6
Next by Date: [PULL 48/68] Revert "hw/i386/pc_sysfw: Inline pc_system_flash_create() and remove it"
Previous by thread: [PULL 41/68] Implement SMBIOS type 9 v2.6
Next by thread: [PULL 48/68] Revert "hw/i386/pc_sysfw: Inline pc_system_flash_create() and remove it"
Index(es):
- Date
- Thread