[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v2 1/2] ait-vga: check address before reading configuration b

From: BALATON Zoltan
Subject: Re: [PATCH v2 1/2] ait-vga: check address before reading configuration bytes
Date: Wed, 3 Jun 2020 23:58:48 +0200 (CEST)
User-agent: Alpine 2.22 (BSF 395 2020-01-19)

On Thu, 4 Jun 2020, P J P wrote:
From: Prasad J Pandit <pjp@fedoraproject.org>

While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + size' is
within PCI configuration space.

Reported-by: Ren Ding <rding@gatech.edu>
Reported-by: Hanqing Zhao <hanqing@gatech.edu>
Reported-by: Yi Ren <c4tren@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
hw/display/ati.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

Update v2: add check to avoid OOB PCI configuration space access
 -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html

diff --git a/hw/display/ati.c b/hw/display/ati.c
index bda4a2d816..6671959e5d 100644
--- a/hw/display/ati.c
+++ b/hw/display/ati.c
@@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, 
unsigned int size)
        val = s->regs.crtc_pitch;
    case 0xf00 ... 0xfff:
-        val = pci_default_read_config(&s->dev, addr - 0xf00, size);
+        addr = addr - 0xf00;

I'd write this as addr -= 0xf00 but modifying addr here breaks the trace print out at end of function so better drop this line and do

if (addr + size <= 0xfff) {

instead. Or is that really (addr + size - 1 <= 0xfff) considering that reading the last byte with addr = 0xfff size = 1 should probably be valid.


+        if (addr + size <= 0xff) {
+            val = pci_default_read_config(&s->dev, addr, size);
+        }
    case CUR_OFFSET:
        val = s->regs.cur_offset;

reply via email to

[Prev in Thread] Current Thread [Next in Thread]