Kernel KVM virtualization development
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Chengwen Feng" <fengchengwen@huawei.com>
Cc: linux-pci@vger.kernel.org, kvm@vger.kernel.org
Subject: Re: [PATCH v19 11/18] vfio/pci: Virtualize PCIe TPH capability registers
Date: Thu, 02 Jul 2026 13:04:13 +0000	[thread overview]
Message-ID: <20260702130414.5DA5A1F00A3D@smtp.kernel.org> (raw)
In-Reply-To: <20260702124224.57168-12-fengchengwen@huawei.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

New issues:
- [Critical] Out-of-bounds read and write on the `perm->virt` and `perm->write` kernel heap buffers due to unvalidated dynamic hardware TPH capability length.

Pre-existing issues:
- [Critical] Missing bounds check in `vfio_ecap_init` can lead to a heap buffer overflow when handling extended capabilities with dynamically parsed lengths.
--

commit 78dd911822344404c5af18d9dd92fb51e5d34a18
Author: Chengwen Feng <fengchengwen@huawei.com>

vfio/pci: Virtualize PCIe TPH capability registers

This patch implements virtualization and policy masking for the PCIe TPH
extended capability. It splits configuration space permissions to keep the
header read-only while marking TPH_CTRL and ST-table entries as virtually
writable, and adjusts virtual capability bits based on hardware support.

> diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
> index 5c6ab172df6c0..06d7b2fbf866a 100644
> --- a/drivers/vfio/pci/vfio_pci_config.c
> +++ b/drivers/vfio/pci/vfio_pci_config.c
> @@ -1086,6 +1086,73 @@ static int __init init_pci_ext_cap_pwr_perm(struct perm_bits *perm)
>  	return 0;
>  }
>  
> +/* Permissions for TPH extended capability */
> +static int __init init_pci_ext_cap_tph_perm(struct perm_bits *perm)
> +{
> +	int i;
> +
> +	if (alloc_perm_bits(perm, pci_ext_cap_length[PCI_EXT_CAP_ID_TPH]))

[Severity: Critical]
Does this code under-allocate the permission bits if the capability length
is dynamically larger than 256 bytes?

Because pci_ext_cap_length[PCI_EXT_CAP_ID_TPH] is 0xFF, alloc_perm_bits()
will allocate a fixed 256-byte buffer. If vfio_ext_cap_len() calculates a
dynamically larger TPH capability size based on a device's ST table, it
appears subsequent user space reads or writes past offset 255 could cause an
out-of-bounds heap access when vfio_default_config_read() or
vfio_default_config_write() calls memcpy() against perm->virt and perm->write.

> +		return -ENOMEM;
> +
> +	p_setd(perm, 0, ALL_VIRT, NO_WRITE);

[ ... ]

> @@ -1704,6 +1774,8 @@ static int vfio_ecap_init(struct vfio_pci_core_device *vdev)
>  		ret = vfio_fill_vconfig_bytes(vdev, epos, len);
>  		if (ret)
>  			return ret;
> +		if (ecap == PCI_EXT_CAP_ID_TPH && !hidden)
> +			vfio_tph_capability_adjust(vdev, epos);

[Severity: Critical]
This is a pre-existing issue, but could the dynamically calculated length lead
to a heap buffer overflow here?

If a faulty or malicious device advertises a large ST table size,
vfio_ext_cap_len() can calculate a length where epos + len significantly
exceeds pdev->cfg_size. Since there appears to be no bounds check before:

drivers/vfio/pci/vfio_pci_config.c:vfio_ecap_init() {
    ...
    memset(map + epos, ecap, len);
    ret = vfio_fill_vconfig_bytes(vdev, epos, len);
    ...
}

could this overflow the vdev->pci_config_map and vdev->vconfig heap buffers?

>  
>  		/*
>  		 * If we're just using this capability to anchor the list,

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702124224.57168-1-fengchengwen@huawei.com?part=11

  reply	other threads:[~2026-07-02 13:04 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 12:42 [PATCH v19 00/18] vfio/pci: Add PCIe TPH support Chengwen Feng
2026-07-02 12:42 ` [PATCH v19 01/18] PCI/TPH: Fix pcie_tph_get_st_table_loc() field extraction Chengwen Feng
2026-07-02 12:51   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 02/18] PCI/TPH: Fix tph_enabled concurrent update race by bitfield packing Chengwen Feng
2026-07-02 12:51   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 03/18] PCI/TPH: Cache TPH requester capability at probe time Chengwen Feng
2026-07-02 12:55   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 04/18] PCI/TPH: Refactor pcie_enable_tph & add explicit requester variant Chengwen Feng
2026-07-02 12:50   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 05/18] PCI/TPH: Refactor pcie_tph_get_cpu_st & add explicit variant Chengwen Feng
2026-07-02 12:56   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 06/18] PCI/TPH: Expose the enabled TPH requester type Chengwen Feng
2026-07-02 12:49   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 07/18] PCI/TPH: Add pcie_tph_supported() helper to check TPH capability attributes Chengwen Feng
2026-07-02 12:53   ` sashiko-bot
2026-07-03  0:39     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 08/18] PCI/TPH: Add pci_tph_dsm_supported() helper to detect device TPH ST _DSM Chengwen Feng
2026-07-02 12:55   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 09/18] vfio/pci: Hide TPH capability when TPH is unsupported Chengwen Feng
2026-07-02 13:00   ` sashiko-bot
2026-07-03  0:36     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 10/18] vfio/pci: Introduce tph policy parameter for staged TPH feature enablement Chengwen Feng
2026-07-02 12:50   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 11/18] vfio/pci: Virtualize PCIe TPH capability registers Chengwen Feng
2026-07-02 13:04   ` sashiko-bot [this message]
2026-07-03  0:51     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 12/18] vfio/pci: Add dmabuf TPH metadata storage and fd query helper Chengwen Feng
2026-07-02 12:56   ` sashiko-bot
2026-07-03  0:53     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 13/18] vfio/pci: Introduce VFIO_DEVICE_FEATURE_TPH family uapi for PCI TPH control Chengwen Feng
2026-07-02 13:01   ` sashiko-bot
2026-07-03  0:57     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 14/18] vfio/pci: Implement VFIO_DEVICE_FEATURE_TPH and valid TPH config write support Chengwen Feng
2026-07-02 13:04   ` sashiko-bot
2026-07-03  1:16     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 15/18] vfio/pci: Implement TPH_RESOLVE feature for DMABUF and CPU source resolving Chengwen Feng
2026-07-02 13:00   ` sashiko-bot
2026-07-03  1:26     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 16/18] vfio/pci: Implement TPH_ST feature for batch ST table programming Chengwen Feng
2026-07-02 13:04   ` sashiko-bot
2026-07-03  1:42     ` fengchengwen
2026-07-02 12:42 ` [PATCH v19 17/18] vfio/pci: Reset hardware TPH state on device enable/disable Chengwen Feng
2026-07-02 13:00   ` sashiko-bot
2026-07-02 12:42 ` [PATCH v19 18/18] vfio/pci: Expose tph_policy via debugfs Chengwen Feng
2026-07-02 12:59   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702130414.5DA5A1F00A3D@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=fengchengwen@huawei.com \
    --cc=kvm@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox