From: sashiko-bot@kernel.org
To: "Chengwen Feng" <fengchengwen@huawei.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v16 08/12] vfio/pci: Hide TPH capability when TPH is unsupported
Date: Thu, 04 Jun 2026 13:48:33 +0000 [thread overview]
Message-ID: <20260604134833.991281F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604132804.28678-9-fengchengwen@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing bounds check on parsed PCIe capability length causes heap buffer overflow.
--
commit 2c400d6c4f255c3b600592b504b9399d3cd59033
Author: Chengwen Feng <fengchengwen@huawei.com>
vfio/pci: Hide TPH capability when TPH is unsupported
Check the device negotiated TPH support status before parsing the TPH
extended capability. Return zero length to hide the capability from
userspace if TPH is disabled during topology negotiation.
> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
> index a10ed733f0e3a..5c6ab172df6c0 100644
> --- a/drivers/vfio/pci/vfio_pci_config.c
> +++ b/drivers/vfio/pci/vfio_pci_config.c
[ ... ]
> @@ -1450,6 +1451,8 @@ static int vfio_ext_cap_len(struct vfio_pci_core_device *vdev, u16 ecap, u16 epo
> byte &= PCI_DPA_CAP_SUBSTATE_MASK;
> return PCI_DPA_BASE_SIZEOF + byte + 1;
> case PCI_EXT_CAP_ID_TPH:
> + if (!pcie_tph_supported(pdev, false))
> + return 0;
> ret = pci_read_config_dword(pdev, epos + PCI_TPH_CAP, &dword);
> if (ret)
> return pcibios_err_to_errno(ret);
[Severity: Critical]
This is a pre-existing issue, but since we are adding support for another
variable-length capability, can the capability length returned here cause a
heap buffer overflow?
Looking at vfio_ecap_init() in drivers/vfio/pci/vfio_pci_config.c, the
returned length is used in memset() and vfio_fill_vconfig_bytes() without
bounds checking against the size of the config space buffer:
drivers/vfio/pci/vfio_pci_config.c:vfio_ecap_init() {
...
len = vfio_ext_cap_len(vdev, ecap, epos);
...
memset(map + epos, ecap, len);
ret = vfio_fill_vconfig_bytes(vdev, epos, len);
...
}
If a malicious or compromised PCIe endpoint provides forged values for
capabilities like TPH or VNDR, resulting in a length that makes
epos + len > pdev->cfg_size, would this result in an out-of-bounds write
past the boundaries of the map and vconfig heap buffers?
A similar issue appears to exist for standard capabilities in vfio_cap_init()
where length is also not bounds-checked:
drivers/vfio/pci/vfio_pci_config.c:vfio_cap_init() {
...
memset(map + pos, cap, len);
ret = vfio_fill_vconfig_bytes(vdev, pos, len);
...
}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604132804.28678-1-fengchengwen@huawei.com?part=8
next prev parent reply other threads:[~2026-06-04 13:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 13:27 [PATCH v16 00/12] vfio/pci: Add PCIe TPH support Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 01/12] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 02/12] PCI/TPH: Fix tph_enabled concurrent update race by bitfield packing Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 03/12] PCI/TPH: Cache TPH requester capability at probe time Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 04/12] PCI/TPH: Refactor pcie_enable_tph & add explicit requester variant Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 05/12] PCI/TPH: Refactor pcie_tph_get_cpu_st & add explicit variant Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 06/12] PCI/TPH: expose the enabled TPH requester type Chengwen Feng
2026-06-04 13:27 ` [PATCH v16 07/12] PCI/TPH: Add pcie_tph_supported() helper to check TPH capability attributes Chengwen Feng
2026-06-04 13:28 ` [PATCH v16 08/12] vfio/pci: Hide TPH capability when TPH is unsupported Chengwen Feng
2026-06-04 13:48 ` sashiko-bot [this message]
2026-06-04 13:28 ` [PATCH v16 09/12] vfio/pci: Add TPH_ENABLE feature skeleton and unsafe module parameter Chengwen Feng
2026-06-04 13:54 ` sashiko-bot
2026-06-15 1:26 ` fengchengwen
2026-06-04 13:28 ` [PATCH v16 10/12] vfio/pci: Add TPH_CPU_ST to query CPU's TPH steering tag Chengwen Feng
2026-06-04 13:55 ` sashiko-bot
2026-06-15 1:31 ` fengchengwen
2026-06-04 13:28 ` [PATCH v16 11/12] vfio/pci: Add TPH_ST_CONFIG for PCIe TPH ST configuration Chengwen Feng
2026-06-04 13:51 ` sashiko-bot
2026-06-04 13:28 ` [PATCH v16 12/12] vfio/pci: Virtualize PCIe TPH capability registers Chengwen Feng
2026-06-04 14:05 ` sashiko-bot
2026-06-15 3:57 ` fengchengwen
2026-06-15 12:19 ` [PATCH v16 00/12] vfio/pci: Add PCIe TPH support fengchengwen
2026-06-15 14:19 ` Alex Williamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604134833.991281F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=fengchengwen@huawei.com \
--cc=kvm@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.