From: Alex Williamson <alex@shazbot.org>
To: "Cédric Le Goater" <clg@redhat.com>
Cc: qemu-devel@nongnu.org, Feifan Qian <bea1e@proton.me>, alex@shazbot.org
Subject: Re: [PATCH] vfio/pci: Reject invalid MSI-X Table and PBA BIR values
Date: Mon, 6 Jul 2026 09:18:28 -0600 [thread overview]
Message-ID: <20260706091828.76964e59@shazbot.org> (raw)
In-Reply-To: <20260706143124.2076256-1-clg@redhat.com>
On Mon, 6 Jul 2026 16:31:24 +0200
Cédric Le Goater <clg@redhat.com> wrote:
> The 3-bit MSI-X BIR fields permit values 0-7, but VFIOPCIDevice::bars[]
> only contains BAR0-BAR5 (6 entries). An invalid BIR value of 6 or 7
> can cause an out-of-bounds array access (CWE-129) in vfio_msix_early_setup().
>
> Add range checks immediately after extracting the BIR values.
A compliant PCI device used for traditional device assignment is not
susceptible to this without a malicious intermediary. The primary
exposure seems to be a vfio-user server, maliciously or inadvertently
exposing bogus BIR values, which appears to introduce a DoS vector
without any reliable further exploit.
> Reported-by: Feifan Qian <bea1e@proton.me>
> Fixes: 65501a745dba ("vfio: vfio-pci device assignment driver")
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/3878
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
> hw/vfio/pci.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 67d9d9e846446577e8de7a8c588165c6f38c3bee..324e3f5d98206ccb64963ee232f69d3ada422ef5 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -1762,6 +1762,14 @@ static bool vfio_msix_early_setup(VFIOPCIDevice *vdev, Error **errp)
> msix->pba_offset = pba & ~PCI_MSIX_FLAGS_BIRMASK;
> msix->entries = (ctrl & PCI_MSIX_FLAGS_QSIZE) + 1;
>
> + if (msix->table_bar >= PCI_NUM_REGIONS - 1 ||
> + msix->pba_bar >= PCI_NUM_REGIONS - 1) {
> + error_setg(errp, "invalid MSI-X BIR, table_bar=%d pba_bar=%d",
> + msix->table_bar, msix->pba_bar);
> + g_free(msix);
> + return false;
> + }
> +
> ret = vfio_device_get_irq_info(&vdev->vbasedev, VFIO_PCI_MSIX_IRQ_INDEX,
> &irq_info);
> if (ret < 0) {
Note that the vulnerability is an out-of-bounds index on vdev->bars, so
we could test >= ARRAY_SIZE(vdev->bars), which is sized as
(PCI_NUM_REGIONS - 1). Either way...
Reviewed-by: Alex Williamson <alex@shazbot.org>
prev parent reply other threads:[~2026-07-06 15:18 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-06 14:31 [PATCH] vfio/pci: Reject invalid MSI-X Table and PBA BIR values Cédric Le Goater
2026-07-06 15:18 ` Alex Williamson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260706091828.76964e59@shazbot.org \
--to=alex@shazbot.org \
--cc=bea1e@proton.me \
--cc=clg@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.