[PULL 10/61] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PULL 10/61] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT

From:	Paolo Bonzini
Subject:	[PULL 10/61] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT
Date:	Mon, 16 Mar 2020 22:26:37 +0100

From: Jan Kiszka <address@hidden>

vtd_irte_get failed to check the index against the configured table
size, causing an out-of-bounds access on guest memory and potentially
misinterpreting the result.

Signed-off-by: Jan Kiszka <address@hidden>
Message-Id: <address@hidden>
Signed-off-by: Paolo Bonzini <address@hidden>
---
 hw/i386/intel_iommu.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c
index 204b684..df7ad25 100644
--- a/hw/i386/intel_iommu.c
+++ b/hw/i386/intel_iommu.c
@@ -3094,6 +3094,12 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t 
index,
     uint16_t mask, source_id;
     uint8_t bus, bus_max, bus_min;
 
+    if (index >= iommu->intr_size) {
+        error_report_once("%s: index too large: ind=0x%x",
+                          __func__, index);
+        return -VTD_FR_IR_INDEX_OVER;
+    }
+
     addr = iommu->intr_root + index * sizeof(*entry);
     if (dma_memory_read(&address_space_memory, addr, entry,
                         sizeof(*entry))) {
-- 
1.8.3.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PULL 00/61] Misc patches for soft freeze, Paolo Bonzini, 2020/03/16
- [PULL 02/61] optionrom/pvh: scan entire RSDP Area, Paolo Bonzini, 2020/03/16
- [PULL 01/61] scsi/qemu-pr-helper: Fix out-of-bounds access to trnptid_list[], Paolo Bonzini, 2020/03/16
- [PULL 04/61] misc: Replace zero-length arrays with flexible array member (manual), Paolo Bonzini, 2020/03/16
- [PULL 05/61] configure: add configure option avx512f_opt, Paolo Bonzini, 2020/03/16
- [PULL 08/61] WHPX: Use QEMU values for trapped CPUID, Paolo Bonzini, 2020/03/16
- [PULL 03/61] misc: Replace zero-length arrays with flexible array member (automatic), Paolo Bonzini, 2020/03/16
- [PULL 06/61] util: add util function buffer_zero_avx512(), Paolo Bonzini, 2020/03/16
  - Re: [PULL 06/61] util: add util function buffer_zero_avx512(), Paolo Bonzini, 2020/03/16
- [PULL 07/61] WHPX: TSC get and set should be dependent on VM state, Paolo Bonzini, 2020/03/16
- [PULL 10/61] hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT, Paolo Bonzini <=
- [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Paolo Bonzini, 2020/03/16
  - Re: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Colin Xu, 2020/03/17
    - Re: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Paolo Bonzini, 2020/03/17
    - Re: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Colin Xu, 2020/03/17
    - Re: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Paolo Bonzini, 2020/03/17
    - Re: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs, Colin Xu, 2020/03/17
- [PULL 11/61] oslib-posix: initialize mutex and condition variable, Paolo Bonzini, 2020/03/16
- [PULL 14/61] configure: Fix building with SASL on Windows, Paolo Bonzini, 2020/03/16
- [PULL 13/61] modules: load modules from versioned /var/run dir, Paolo Bonzini, 2020/03/16
- [PULL 16/61] memory: Fix start offset for bitmap log_clear hook, Paolo Bonzini, 2020/03/16

Prev by Date: [PULL 07/61] WHPX: TSC get and set should be dependent on VM state
Next by Date: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs
Previous by thread: [PULL 07/61] WHPX: TSC get and set should be dependent on VM state
Next by thread: [PULL 09/61] MAINTAINERS: Add entry for Guest X86 HAXM CPUs
Index(es):
- Date
- Thread