Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs

From:	Michael S. Tsirkin
Subject:	Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs
Date:	Tue, 13 Feb 2024 05:59:01 -0500

On Mon, Feb 12, 2024 at 07:20:33PM +0900, Akihiko Odaki wrote:
> The guest may write NumVFs greater than TotalVFs and that can lead
> to buffer overflow in VF implementations.
> 
> Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization 
> (SR/IOV)")
> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
> ---
>  hw/pci/pcie_sriov.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
> index a1fe65f5d801..da209b7f47fd 100644
> --- a/hw/pci/pcie_sriov.c
> +++ b/hw/pci/pcie_sriov.c
> @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
>  
>      assert(sriov_cap > 0);
>      num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
> +    if (num_vfs > pci_get_word(dev->config + sriov_cap + 
> PCI_SRIOV_TOTAL_VF)) {
> +        return;
> +    }

Indeed:
     The results are undefined if NumVFs is set to a value greater than 
TotalVFs.

However I note that hw/nvme/ctrl.c will still poke at NumVFs.

Since it's undefined, I propose a simpler hack and just force it
to PCI_SRIOV_TOTAL_VF. This way everyone can just assume it's ok.


>  
>      dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
>  
> 
> -- 
> 2.43.0

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH v3 0/7] hw/pci: SR-IOV related fixes and improvements, Akihiko Odaki, 2024/02/12
- [PATCH v3 1/7] hw/pci: Use -1 as a default value for rombar, Akihiko Odaki, 2024/02/12
- [PATCH v3 2/7] hw/pci: Determine if rombar is explicitly enabled, Akihiko Odaki, 2024/02/12
  - Re: [PATCH v3 2/7] hw/pci: Determine if rombar is explicitly enabled, Michael S. Tsirkin, 2024/02/13
    - Re: [PATCH v3 2/7] hw/pci: Determine if rombar is explicitly enabled, Akihiko Odaki, 2024/02/13
- [PATCH v3 3/7] vfio: Avoid inspecting option QDict for rombar, Akihiko Odaki, 2024/02/12
- [PATCH v3 4/7] hw/qdev: Remove opts member, Akihiko Odaki, 2024/02/12
- [PATCH v3 5/7] pcie_sriov: Validate NumVFs, Akihiko Odaki, 2024/02/12
  - Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs, Michael S. Tsirkin <=
    - Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs, Akihiko Odaki, 2024/02/13
- [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Akihiko Odaki, 2024/02/12
  - Re: [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Michael S. Tsirkin, 2024/02/13
    - Re: [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Akihiko Odaki, 2024/02/13
- [PATCH v3 7/7] pcie_sriov: Release VFs failed to realize, Akihiko Odaki, 2024/02/12
- Message not available
  - RE: [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Minwoo Im, 2024/02/13
    - Re: [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Akihiko Odaki, 2024/02/13
    - Re: [PATCH v3 6/7] pcie_sriov: Reuse SR-IOV VF device instances, Akihiko Odaki, 2024/02/13

Prev by Date: Re: [PATCH rfcv2 18/18] intel_iommu: Block migration if cap is updated
Next by Date: Re: [PULL 00/12] Hppa64 patches
Previous by thread: [PATCH v3 5/7] pcie_sriov: Validate NumVFs
Next by thread: Re: [PATCH v3 5/7] pcie_sriov: Validate NumVFs
Index(es):
- Date
- Thread