[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] pci: check address before reading configuration bytes
From: |
Philippe Mathieu-Daudé |
Subject: |
Re: [PATCH] pci: check address before reading configuration bytes |
Date: |
Wed, 3 Jun 2020 14:52:41 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
On 6/3/20 2:40 PM, P J P wrote:
> From: Prasad J Pandit <pjp@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + len' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rding@gatech.edu>
> Reported-by: Hanqing Zhao <hanqing@gatech.edu>
> Reported-by: Yi Ren <c4tren@gmail.com>
> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
> ---
> hw/pci/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 70c66965f5..4429fa9401 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
> ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> pcie_sync_bridge_lnk(d);
> }
> - memcpy(&val, d->config + address, len);
> + if (address + len <= pci_config_size(d)) {
We don't want to hide/ignore earlier bugs, so IMO the caller should
check for access in range, and this function abort() as it should never
been called with such arguments.
> + memcpy(&val, d->config + address, len);
> + }
> return le32_to_cpu(val);
> }
>
>