From: "Michael S. Tsirkin" <mst@redhat.com>
To: Donald Dutile <ddutile@redhat.com>
Cc: kvm@vger.kernel.org, alex.williamson@redhat.com
Subject: Re: [PATCH 1/2] pci: bounds check offsets into config_map
Date: Thu, 21 Jul 2011 11:11:27 +0300 [thread overview]
Message-ID: <20110721081127.GC20360@redhat.com> (raw)
In-Reply-To: <20110720234638.5002.55773.stgit@dddsys0.bos.redhat.com>
On Wed, Jul 20, 2011 at 07:49:34PM -0400, Donald Dutile wrote:
> Bounds check to avoid walking off config_map[]
> and corrupting what is after it.
>
> Signed-off-by: Donald Dutile <ddutile@redhat.com>
> cc: Alex Williamson <alex.williamson@redhat.com>
> cc: Michael S. Tsirkin <mst@redhat.com>
> ---
>
> hw/pci.c | 16 ++++++++++++++--
> 1 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/hw/pci.c b/hw/pci.c
> index 5deaa04..9a7ff2d 100644
> --- a/hw/pci.c
> +++ b/hw/pci.c
> @@ -2078,12 +2078,24 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
> }
> } else {
> int i;
> + uint32_t config_size = pci_config_size(pdev);
This is actually slightly wrong: even for express
devices, legacy capabilities can not spill out from
the low 256 bytes: the extended config space has its
own capability list always starting with the express
capability at offset 256.
> +
> + /* ensure don't walk off end of config_map[] */
> + if (offset > (config_size - size)) {
I prefer not to have () around math here.
> + fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
> + "Attempt to add PCI capability 0x%x at offset 0x%x,"
> + "size 0x%x, which exceeds emulated PCI config space 0x%x\n",
> + pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
> + PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
> + cap_id, offset, size, config_size);
> + return -EINVAL;
> + }
>
> for (i = offset; i < offset + size; i++) {
> if (pdev->config_map[i]) {
> fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
> - "Attempt to add PCI capability %x at offset "
> - "%x overlaps existing capability %x at offset %x\n",
> + "Attempt to add PCI capability 0x%x at offset "
> + "0x%x overlaps existing capability 0x%x at offset 0x%x\n",
> pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
> PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
> cap_id, offset, pdev->config_map[i], i);
next prev parent reply other threads:[~2011-07-21 8:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-20 23:46 [PATCH 0/2] pci: config space bounds check and correction Donald Dutile
2011-07-20 23:49 ` [PATCH 1/2] pci: bounds check offsets into config_map Donald Dutile
2011-07-21 8:11 ` Michael S. Tsirkin [this message]
2011-07-21 15:52 ` Don Dutile
2011-07-20 23:51 ` [PATCH 2/2] pci: correct pci config size default for cap version 2 endpoints Donald Dutile
2011-07-21 2:43 ` Alex Williamson
2011-07-21 15:52 ` Don Dutile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110721081127.GC20360@redhat.com \
--to=mst@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=ddutile@redhat.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox