[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen staging-4.20] tools/libs/light: fix BAR memory address truncation

To: xen-changelog@xxxxxxxxxxxxxxxxxxxx
From: patchbot@xxxxxxx
Date: Fri, 24 Oct 2025 12:33:12 +0000
Delivery-date: Fri, 24 Oct 2025 12:33:14 +0000
List-id: "Change log for Mercurial \(receive only\)" <xen-changelog.lists.xenproject.org>

commit ff9de4517afc8a998f5d4d950418ecf0d18fa23c
Author:     Jiqian Chen <Jiqian.Chen@xxxxxxx>
AuthorDate: Fri Oct 24 13:21:35 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Oct 24 13:22:41 2025 +0100

    tools/libs/light: fix BAR memory address truncation
    
    64-bit BAR memory address is truncated when removing a passthrough
    pci device from guest since it uses "unsigned int".
    
    So, change to use 64-bit type to fix this problem.
    
    This is XSA-476 / CVE-2025-58149.
    
    Fixes: b0a1af61678b ("libxenlight: implement pci passthrough")
    Signed-off-by: Jiqian Chen <Jiqian.Chen@xxxxxxx>
    Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
    Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
    (cherry picked from commit 421432b822184f990cd9ef157bbc2a24cfe96727)
---
 tools/libs/light/libxl_pci.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c
index 1647fd6f47..7af602224a 100644
--- a/tools/libs/light/libxl_pci.c
+++ b/tools/libs/light/libxl_pci.c
@@ -2179,7 +2179,7 @@ static void pci_remove_detached(libxl__egc *egc,
 {
     STATE_AO_GC(prs->aodev->ao);
     libxl_ctx *ctx = libxl__gc_owner(gc);
-    unsigned int start = 0, end = 0, flags = 0, size = 0;
+    uint64_t start = 0, end = 0, flags = 0, size = 0;
     int  irq = 0, i, stubdomid = 0;
     const char *sysfs_path;
     FILE *f;
@@ -2209,7 +2209,8 @@ static void pci_remove_detached(libxl__egc *egc,
     }
 
     for (i = 0; i < PROC_PCI_NUM_RESOURCES; i++) {
-        if (fscanf(f, "0x%x 0x%x 0x%x\n", &start, &end, &flags) != 3)
+        if (fscanf(f, "0x%"SCNx64" 0x%"SCNx64" 0x%"SCNx64"\n",
+                   &start, &end, &flags) != 3)
             continue;
         size = end - start + 1;
         if (start) {
@@ -2218,7 +2219,7 @@ static void pci_remove_detached(libxl__egc *egc,
                                                  size, 0);
                 if (rc < 0)
                     LOGED(ERROR, domid,
-                          "xc_domain_ioport_permission error 0x%x/0x%x",
+                          "xc_domain_ioport_permission error 
%#"PRIx64"/%#"PRIx64,
                           start,
                           size);
             } else {
@@ -2228,7 +2229,7 @@ static void pci_remove_detached(libxl__egc *egc,
                                                 0);
                 if (rc < 0)
                     LOGED(ERROR, domid,
-                          "xc_domain_iomem_permission error 0x%x/0x%x",
+                          "xc_domain_iomem_permission error 
%#"PRIx64"/%#"PRIx64,
                           start,
                           size);
             }
--
generated by git-patchbot for /home/xen/git/xen.git#staging-4.20

Prev by Date: [xen staging] tools/libs/light: fix BAR memory address truncation
Next by Date: [xen staging-4.19] tools/libs/light: fix BAR memory address truncation
Previous by thread: [xen staging] tools/libs/light: fix BAR memory address truncation
Next by thread: [xen staging-4.19] tools/libs/light: fix BAR memory address truncation
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.