[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-7.2.11 21/41] pcie_sriov: Validate NumVFs
|
From: |
Michael Tokarev |
|
Subject: |
[Stable-7.2.11 21/41] pcie_sriov: Validate NumVFs |
|
Date: |
Wed, 10 Apr 2024 08:43:42 +0300 |
From: Akihiko Odaki <akihiko.odaki@daynix.com>
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.
Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization
(SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
(cherry picked from commit 6081b4243cd64dff1b2cf5b0c215c71e9d7e753b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index 3703d250f0..0d58e4db43 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
assert(sriov_cap > 0);
num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+ if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+ return;
+ }
dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
--
2.39.2
- [Stable-7.2.11 09/41] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter, (continued)
- [Stable-7.2.11 09/41] hw/scsi/lsi53c895a: add missing decrement of reentrancy counter, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 10/41] hw/scsi/lsi53c895a: add timer to scripts processing, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 13/41] Avoid unaligned fetch in ladr_match(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 11/41] make-release: switch to .xz format by default, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 12/41] e1000e: fix link state on resume, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 16/41] hw/nvme: separate 'serial' property for VFs, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 17/41] hw/nvme: generalize the mbar size helper, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 19/41] pcie: Introduce pcie_sriov_num_vfs, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 18/41] hw/nvme: add machine compatibility parameter to enable msix exclusive bar, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 20/41] hw/nvme: Use pcie_sriov_num_vfs(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 21/41] pcie_sriov: Validate NumVFs,
Michael Tokarev <=
- [Stable-7.2.11 14/41] hw/nvme: clean up confusing use of errp/local_err, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 15/41] hw/nvme: cleanup error reporting in nvme_init_pci(), Michael Tokarev, 2024/04/10
- [Stable-7.2.11 22/41] hmat acpi: Fix out of bounds access due to missing use of indirection, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 24/41] tests/unit: Bump test-aio-multithread test timeout to 2 minutes, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 26/41] tests/unit: Bump test-replication timeout to 60 seconds, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 25/41] tests/unit: Bump test-crypto-block test timeout to 5 minutes, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 23/41] migration: Skip only empty block devices, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 27/41] tests: Raise timeouts for bufferiszero and crypto-tlscredsx509, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 29/41] target/i386: use separate MMU indexes for 32-bit accesses, Michael Tokarev, 2024/04/10
- [Stable-7.2.11 30/41] target/i386: fix direction of "32-bit MMU" test, Michael Tokarev, 2024/04/10