[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-changelog] [qemu-xen-traditional stable-4.6] MSI-X: avoid array overrun upon MSI-X table writes
commit 7457f4beae2583a106a4176949514e81248fc22d Author: Jan Beulich <jbeulich@xxxxxxxx> AuthorDate: Mon Jan 4 15:34:29 2016 +0000 Commit: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> CommitDate: Mon Jan 4 15:35:42 2016 +0000 MSI-X: avoid array overrun upon MSI-X table writes pt_msix_init() allocates msix->msix_entry[] to just cover msix->total_entries entries. While pci_msix_readl() resorts to reading physical memory for out of bounds reads, pci_msix_writel() so far simply accessed/corrupted unrelated memory. pt_iomem_map()'s call to cpu_register_physical_memory() registers a page granular region, which is necessary as the Pending Bit Array may share space with the MSI-X table (but nothing else is allowed to). This also explains why pci_msix_readl() actually honors out of bounds reads, but pci_msi_writel() doesn't need to. This is XSA-164. Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Acked-by: Ian Campbell <ian.campbell@xxxxxxxxxx> (cherry picked from commit 569eac99e8ddccd15fe78e8a3af5622afe780e3b) --- hw/pt-msi.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/hw/pt-msi.c b/hw/pt-msi.c index 3f5f94b..c6baea9 100644 --- a/hw/pt-msi.c +++ b/hw/pt-msi.c @@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque, target_phys_addr_t addr, uint32_t val) return; } + if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) + { + PT_LOG("Error: Out of bounds write to MSI-X table," + " addr %016"PRIx64"\n", addr); + return; + } + entry_nr = (addr - msix->mmio_base_addr) / 16; entry = &msix->msix_entry[entry_nr]; offset = ((addr - msix->mmio_base_addr) % 16) / 4; -- generated by git-patchbot for /home/xen/git/qemu-xen-traditional.git#stable-4.6 _______________________________________________ Xen-changelog mailing list Xen-changelog@xxxxxxxxxxxxx http://lists.xensource.com/xen-changelog
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |