[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[xen stable-4.17] tools/libs/light: fix BAR memory address truncation

commit 14b0ce576874031d17959cf1df65917d6e838523
Author:     Jiqian Chen <Jiqian.Chen@xxxxxxx>
AuthorDate: Fri Oct 24 13:23:34 2025 +0100
Commit:     Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
CommitDate: Fri Oct 24 13:23:46 2025 +0100

    tools/libs/light: fix BAR memory address truncation
    
    64-bit BAR memory address is truncated when removing a passthrough
    pci device from guest since it uses "unsigned int".
    
    So, change to use 64-bit type to fix this problem.
    
    This is XSA-476 / CVE-2025-58149.
    
    Fixes: b0a1af61678b ("libxenlight: implement pci passthrough")
    Signed-off-by: Jiqian Chen <Jiqian.Chen@xxxxxxx>
    Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@xxxxxxxxx>
    Reviewed-by: Juergen Gross <jgross@xxxxxxxx>
    Acked-by: Anthony PERARD <anthony.perard@xxxxxxxxxx>
    (cherry picked from commit 421432b822184f990cd9ef157bbc2a24cfe96727)
---
 tools/libs/light/libxl_pci.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c
index f4c4f17545..37e2e26247 100644
--- a/tools/libs/light/libxl_pci.c
+++ b/tools/libs/light/libxl_pci.c
@@ -1995,7 +1995,7 @@ static void do_pci_remove(libxl__egc *egc, 
pci_remove_state *prs)
         char *sysfs_path = GCSPRINTF(SYSFS_PCI_DEV"/"PCI_BDF"/resource", 
pci->domain,
                                      pci->bus, pci->dev, pci->func);
         FILE *f = fopen(sysfs_path, "r");
-        unsigned int start = 0, end = 0, flags = 0, size = 0;
+        uint64_t start = 0, end = 0, flags = 0, size = 0;
         int irq = 0;
         int i;
 
@@ -2004,7 +2004,8 @@ static void do_pci_remove(libxl__egc *egc, 
pci_remove_state *prs)
             goto skip1;
         }
         for (i = 0; i < PROC_PCI_NUM_RESOURCES; i++) {
-            if (fscanf(f, "0x%x 0x%x 0x%x\n", &start, &end, &flags) != 3)
+            if (fscanf(f, "0x%"SCNx64" 0x%"SCNx64" 0x%"SCNx64"\n",
+                       &start, &end, &flags) != 3)
                 continue;
             size = end - start + 1;
             if (start) {
@@ -2012,7 +2013,7 @@ static void do_pci_remove(libxl__egc *egc, 
pci_remove_state *prs)
                     rc = xc_domain_ioport_permission(ctx->xch, domid, start, 
size, 0);
                     if (rc < 0)
                         LOGED(ERROR, domainid,
-                              "xc_domain_ioport_permission error 0x%x/0x%x",
+                              "xc_domain_ioport_permission error 
%#"PRIx64"/%#"PRIx64,
                               start,
                               size);
                 } else {
@@ -2020,7 +2021,7 @@ static void do_pci_remove(libxl__egc *egc, 
pci_remove_state *prs)
                                                     
(size+(XC_PAGE_SIZE-1))>>XC_PAGE_SHIFT, 0);
                     if (rc < 0)
                         LOGED(ERROR, domainid,
-                              "xc_domain_iomem_permission error 0x%x/0x%x",
+                              "xc_domain_iomem_permission error 
%#"PRIx64"/%#"PRIx64,
                               start,
                               size);
                 }
--
generated by git-patchbot for /home/xen/git/xen.git#stable-4.17

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.