[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 29/56] pci: assert configuration access is within bounds
|
From: |
Michael S. Tsirkin |
|
Subject: |
[PULL 29/56] pci: assert configuration access is within bounds |
|
Date: |
Wed, 10 Jun 2020 00:27:37 -0400 |
From: Prasad J Pandit <pjp@fedoraproject.org>
While accessing PCI configuration bytes, assert that
'address + len' is within PCI configuration space.
Generally it is within bounds. This is more of a defensive
assert, in case a buggy device was to send 'address' which
may go out of bounds.
Suggested-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200604113525.58898-1-ppandit@redhat.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/pci/pci.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 70c66965f5..7bf2ae6d92 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d,
{
uint32_t val = 0;
+ assert(address + len <= pci_config_size(d));
+
if (pci_is_express_downstream_port(d) &&
ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
pcie_sync_bridge_lnk(d);
@@ -1394,6 +1396,8 @@ void pci_default_write_config(PCIDevice *d, uint32_t
addr, uint32_t val_in, int
int i, was_irq_disabled = pci_irq_disabled(d);
uint32_t val = val_in;
+ assert(addr + l <= pci_config_size(d));
+
for (i = 0; i < l; val >>= 8, ++i) {
uint8_t wmask = d->wmask[addr + i];
uint8_t w1cmask = d->w1cmask[addr + i];
--
MST
- [PULL 18/56] tests/acpi: Add void tables for Q35/TPM-TIS bios-tables-test, (continued)
- [PULL 18/56] tests/acpi: Add void tables for Q35/TPM-TIS bios-tables-test, Michael S. Tsirkin, 2020/06/10
- [PULL 19/56] tests: tpm-emu: Remove assert on TPM2_ST_NO_SESSIONS, Michael S. Tsirkin, 2020/06/10
- [PULL 20/56] bios-tables-test: Add Q35/TPM-TIS test, Michael S. Tsirkin, 2020/06/10
- [PULL 22/56] virtio-balloon: fix free page hinting without an iothread, Michael S. Tsirkin, 2020/06/10
- [PULL 21/56] bios-tables-test: Generate reference tables for Q35/TPM-TIS, Michael S. Tsirkin, 2020/06/10
- [PULL 23/56] virtio-balloon: fix free page hinting check on unrealize, Michael S. Tsirkin, 2020/06/10
- [PULL 25/56] virtio-balloon: Implement support for page poison reporting feature, Michael S. Tsirkin, 2020/06/10
- [PULL 24/56] virtio-balloon: unref the iothread when unrealizing, Michael S. Tsirkin, 2020/06/10
- [PULL 27/56] MAINTAINERS: Fix the classification of bios-tables-test-allowed-diff.h, Michael S. Tsirkin, 2020/06/10
- [PULL 28/56] hw/pci/pcie: Move hot plug capability check to pre_plug callback, Michael S. Tsirkin, 2020/06/10
- [PULL 29/56] pci: assert configuration access is within bounds,
Michael S. Tsirkin <=
- [PULL 31/56] hw/pci/pci_bridge: Correct pci_bridge_io memory region size, Michael S. Tsirkin, 2020/06/10
- [PULL 32/56] hw/pci/pci_bridge: Use the IEC binary prefix definitions, Michael S. Tsirkin, 2020/06/10
- [PULL 33/56] hw/pci-host: Use the IEC binary prefix definitions, Michael S. Tsirkin, 2020/06/10
- [PULL 35/56] vhost-user-blk: delay vhost_user_blk_disconnect, Michael S. Tsirkin, 2020/06/10
- [PULL 34/56] char-socket: return -1 in case of disconnect during tcp_chr_write, Michael S. Tsirkin, 2020/06/10
- [PULL 36/56] Add helper to populate vhost-user message regions, Michael S. Tsirkin, 2020/06/10
- [PULL 38/56] Add VHOST_USER_PROTOCOL_F_CONFIGURE_MEM_SLOTS, Michael S. Tsirkin, 2020/06/10
- [PULL 39/56] Transmit vhost-user memory regions individually, Michael S. Tsirkin, 2020/06/10
- [PULL 40/56] Lift max memory slots limit imposed by vhost-user, Michael S. Tsirkin, 2020/06/10
- [PULL 41/56] Refactor out libvhost-user fault generation logic, Michael S. Tsirkin, 2020/06/10