From: "Michael S. Tsirkin" <mst@redhat.com>
To: Donald Dutile <ddutile@redhat.com>
Cc: kvm@vger.kernel.org, alex.williamson@redhat.com
Subject: Re: [PATCH 1/2] pci: bounds check offsets into config_map
Date: Thu, 21 Jul 2011 11:11:27 +0300 [thread overview]
Message-ID: <20110721081127.GC20360@redhat.com> (raw)
In-Reply-To: <20110720234638.5002.55773.stgit@dddsys0.bos.redhat.com>
On Wed, Jul 20, 2011 at 07:49:34PM -0400, Donald Dutile wrote:
> Bounds check to avoid walking off config_map[]
> and corrupting what is after it.
>
> Signed-off-by: Donald Dutile <ddutile@redhat.com>
> cc: Alex Williamson <alex.williamson@redhat.com>
> cc: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> hw/pci.c | 16 ++++++++++++++--
> 1 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/hw/pci.c b/hw/pci.c
> index 5deaa04..9a7ff2d 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -2078,12 +2078,24 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
> }
> } else {
> int i;
> + uint32_t config_size = pci_config_size(pdev);
This is actually slightly wrong: even for express
devices, legacy capabilities can not spill out from
the low 256 bytes: the extended config space has its
own capability list always starting with the express
capability at offset 256.
> +
> + /* ensure don't walk off end of config_map[] */
> + if (offset > (config_size - size)) {
I prefer not to have () around math here.
> + fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
> + "Attempt to add PCI capability 0x%x at offset 0x%x,"
> + "size 0x%x, which exceeds emulated PCI config space 0x%x\n",
> + pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
> + PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
> + cap_id, offset, size, config_size);
> + return -EINVAL;
> + }
>
> for (i = offset; i < offset + size; i++) {
> if (pdev->config_map[i]) {
> fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
> - "Attempt to add PCI capability %x at offset "
> - "%x overlaps existing capability %x at offset %x\n",
> + "Attempt to add PCI capability 0x%x at offset "
> + "0x%x overlaps existing capability 0x%x at offset 0x%x\n",
> pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
> PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
> cap_id, offset, pdev->config_map[i], i);
next prev parent reply other threads:[~2011-07-21 8:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-20 23:46 [PATCH 0/2] pci: config space bounds check and correction Donald Dutile
2011-07-20 23:49 ` [PATCH 1/2] pci: bounds check offsets into config_map Donald Dutile
2011-07-21 8:11 ` Michael S. Tsirkin [this message]
2011-07-21 15:52 ` Don Dutile
2011-07-20 23:51 ` [PATCH 2/2] pci: correct pci config size default for cap version 2 endpoints Donald Dutile
2011-07-21 2:43 ` Alex Williamson
2011-07-21 15:52 ` Don Dutile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110721081127.GC20360@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=ddutile@redhat.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.