[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT
|
From: |
Jan Kiszka |
|
Subject: |
[PATCH] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT |
|
Date: |
Tue, 10 Mar 2020 18:42:11 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
From: Jan Kiszka <address@hidden>
vtd_irte_get failed to check the index against the configured table
size, causing an out-of-bounds access on guest memory and potentially
misinterpreting the result.
Signed-off-by: Jan Kiszka <address@hidden>
---
BTW, we still miss error reporting emulation, right? Therefore, I added
that simple error_report_once thing, like the other paths do.
hw/i386/intel_iommu.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 204b6841ec..df7ad254ac 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -3094,6 +3094,12 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t
index,
uint16_t mask, source_id;
uint8_t bus, bus_max, bus_min;
+ if (index >= iommu->intr_size) {
+ error_report_once("%s: index too large: ind=0x%x",
+ __func__, index);
+ return -VTD_FR_IR_INDEX_OVER;
+ }
+
addr = iommu->intr_root + index * sizeof(*entry);
if (dma_memory_read(&address_space_memory, addr, entry,
sizeof(*entry))) {
--
2.16.4
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
- [PATCH] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT,
Jan Kiszka <=