From: David Edmondson <david.edmondson@oracle.com>
To: Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org
Cc: lersek@redhat.com, "Philippe Mathieu-Daudé" <philmd@redhat.com>,
peterx@redhat.com, mst@redhat.com
Subject: Re: [PATCH v3 1/2] pci: reject too large ROMs
Date: Wed, 03 Feb 2021 14:08:00 +0000 [thread overview]
Message-ID: <cunh7mtnt1b.fsf@oracle.com> (raw)
In-Reply-To: <20210203131828.156467-2-pbonzini@redhat.com>
On Wednesday, 2021-02-03 at 14:18:27 +01, Paolo Bonzini wrote:
> get_image_size() returns an int64_t, which pci_add_option_rom() assigns
> to an "int" without any range checking. A 32-bit BAR could be up to
> 2 GiB in size, so reject anything above it. In order to accomodate
> a rounded-up size of 2 GiB, change pci_patch_ids's size argument
> to unsigned.
>
> Reviewed-by: Peter Xu <peterx@redhat.com>
> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Edmondson <david.edmondson@oracle.com>
> ---
> hw/pci/pci.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 512e9042ff..58560c044d 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -25,6 +25,7 @@
> #include "qemu/osdep.h"
> #include "qemu-common.h"
> #include "qemu/datadir.h"
> +#include "qemu/units.h"
> #include "hw/irq.h"
> #include "hw/pci/pci.h"
> #include "hw/pci/pci_bridge.h"
> @@ -2234,7 +2235,7 @@ static uint8_t pci_find_capability_at_offset(PCIDevice *pdev, uint8_t offset)
>
> /* Patch the PCI vendor and device ids in a PCI rom image if necessary.
> This is needed for an option rom which is used for more than one device. */
> -static void pci_patch_ids(PCIDevice *pdev, uint8_t *ptr, int size)
> +static void pci_patch_ids(PCIDevice *pdev, uint8_t *ptr, uint32_t size)
> {
> uint16_t vendor_id;
> uint16_t device_id;
> @@ -2292,7 +2293,7 @@ static void pci_patch_ids(PCIDevice *pdev, uint8_t *ptr, int size)
> static void pci_add_option_rom(PCIDevice *pdev, bool is_default_rom,
> Error **errp)
> {
> - int size;
> + int64_t size;
> char *path;
> void *ptr;
> char name[32];
> @@ -2342,6 +2343,11 @@ static void pci_add_option_rom(PCIDevice *pdev, bool is_default_rom,
> error_setg(errp, "romfile \"%s\" is empty", pdev->romfile);
> g_free(path);
> return;
> + } else if (size > 2 * GiB) {
> + error_setg(errp, "romfile \"%s\" too large (size cannot exceed 2 GiB)",
> + pdev->romfile);
> + g_free(path);
> + return;
> }
> size = pow2ceil(size);
>
> --
> 2.29.2
dme.
--
I used to worry, thought I was goin' mad in a hurry.
next prev parent reply other threads:[~2021-02-03 14:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-03 13:18 [PATCH v3 0/2] pci: add romsize property Paolo Bonzini
2021-02-03 13:18 ` [PATCH v3 1/2] pci: reject too large ROMs Paolo Bonzini
2021-02-03 14:08 ` David Edmondson [this message]
2021-02-03 13:18 ` [PATCH v3 2/2] pci: add romsize property Paolo Bonzini
2021-02-03 14:08 ` David Edmondson
2021-02-03 19:14 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cunh7mtnt1b.fsf@oracle.com \
--to=david.edmondson@oracle.com \
--cc=lersek@redhat.com \
--cc=mst@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peterx@redhat.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.