[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-changelog] [xen stable-4.12] x86/msi: fix loop termination condition in pci_msi_conf_write_intercept()



commit 7f2df4b62214645dc15488487da26eb32c7790b4
Author:     Paul Durrant <paul.durrant@xxxxxxxxxx>
AuthorDate: Fri Jul 5 10:25:46 2019 +0200
Commit:     Jan Beulich <jbeulich@xxxxxxxx>
CommitDate: Fri Jul 5 10:25:46 2019 +0200

    x86/msi: fix loop termination condition in pci_msi_conf_write_intercept()
    
    The for loop that deals with MSI masking is coded as follows:
    
    for ( pos = 0; pos < entry->msi.nvec; ++pos, ++entry )
    
    Thus the loop termination condition is dereferencing a struct pointer that
    is being incremented by the loop.
    
    A block of MSI entries stores the number of vectors in entry[0].msi.nvec,
    with all subsequent entries using a value of 0.  Therefore, for a block of
    two or more MSIs will terminate the loop early, as entry[1].msi.nvec is 0.
    
    However, for a single MSI, ++entry moves the pointer out of bounds, and a
    bogus read is used for the termination condition.  In the case that the
    loop body gets entered, there are subsequent OoB writes which clobber
    adjacent memory in the heap.
    
    This patch simply initializes a stack variable to the value of
    entry->msi.nvec before starting the loop and then uses that in the
    termination condition instead.
    
    Signed-off-by: Paul Durrant <paul.durrant@xxxxxxxxxx>
    Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
    Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
    master commit: 56ad626532eb7addeef2bb2f5f67a15756b5cee2
    master date: 2019-07-02 12:00:42 +0100
---
 xen/arch/x86/msi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c
index babc4147c4..89e61160e9 100644
--- a/xen/arch/x86/msi.c
+++ b/xen/arch/x86/msi.c
@@ -1328,6 +1328,7 @@ int pci_msi_conf_write_intercept(struct pci_dev *pdev, 
unsigned int reg,
     {
         uint16_t cntl;
         uint32_t unused;
+        unsigned int nvec = entry->msi.nvec;
 
         pos = entry->msi_attrib.pos;
         if ( reg < pos || reg >= entry->msi.mpos + 8 )
@@ -1340,7 +1341,7 @@ int pci_msi_conf_write_intercept(struct pci_dev *pdev, 
unsigned int reg,
 
         cntl = pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos));
         unused = ~(uint32_t)0 >> (32 - multi_msi_capable(cntl));
-        for ( pos = 0; pos < entry->msi.nvec; ++pos, ++entry )
+        for ( pos = 0; pos < nvec; ++pos, ++entry )
         {
             entry->msi_attrib.guest_masked =
                 *data >> entry->msi_attrib.entry_nr;
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.12

_______________________________________________
Xen-changelog mailing list
Xen-changelog@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/xen-changelog

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.