[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [qemu-xen-traditional stable-4.6] MSI-X: avoid array overrun upon MSI-X table writes



commit 7457f4beae2583a106a4176949514e81248fc22d
Author:     Jan Beulich <jbeulich@xxxxxxxx>
AuthorDate: Mon Jan 4 15:34:29 2016 +0000
Commit:     Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>
CommitDate: Mon Jan 4 15:35:42 2016 +0000

    MSI-X: avoid array overrun upon MSI-X table writes
    
    pt_msix_init() allocates msix->msix_entry[] to just cover
    msix->total_entries entries. While pci_msix_readl() resorts to reading
    physical memory for out of bounds reads, pci_msix_writel() so far
    simply accessed/corrupted unrelated memory.
    
    pt_iomem_map()'s call to cpu_register_physical_memory() registers a
    page granular region, which is necessary as the Pending Bit Array may
    share space with the MSI-X table (but nothing else is allowed to). This
    also explains why pci_msix_readl() actually honors out of bounds reads,
    but pci_msi_writel() doesn't need to.
    
    This is XSA-164.
    
    Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
    Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx>
    (cherry picked from commit 569eac99e8ddccd15fe78e8a3af5622afe780e3b)
---
 hw/pt-msi.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/hw/pt-msi.c b/hw/pt-msi.c
index 3f5f94b..c6baea9 100644
--- a/hw/pt-msi.c
+++ b/hw/pt-msi.c
@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque, 
target_phys_addr_t addr, uint32_t val)
         return;
     }
 
+    if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 )
+    {
+        PT_LOG("Error: Out of bounds write to MSI-X table,"
+               " addr %016"PRIx64"\n", addr);
+        return;
+    }
+
     entry_nr = (addr - msix->mmio_base_addr) / 16;
     entry = &msix->msix_entry[entry_nr];
     offset = ((addr - msix->mmio_base_addr) % 16) / 4;
--
generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.6

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxx
http://lists.xensource.com/xen-changelog


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.