From: Don Dutile <ddutile@redhat.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: kvm@vger.kernel.org, alex.williamson@redhat.com
Subject: Re: [PATCH 1/2] pci: bounds check offsets into config_map
Date: Thu, 21 Jul 2011 11:52:56 -0400 [thread overview]
Message-ID: <4E284B58.9020200@redhat.com> (raw)
In-Reply-To: <20110721081127.GC20360@redhat.com>
On 07/21/2011 04:11 AM, Michael S. Tsirkin wrote:
> On Wed, Jul 20, 2011 at 07:49:34PM -0400, Donald Dutile wrote:
>> Bounds check to avoid walking off config_map[]
>> and corrupting what is after it.
>>
>> Signed-off-by: Donald Dutile<ddutile@redhat.com>
>> cc: Alex Williamson<alex.williamson@redhat.com>
>> cc: Michael S. Tsirkin<mst@redhat.com>
>> ---
>>
>> hw/pci.c | 16 ++++++++++++++--
>> 1 files changed, 14 insertions(+), 2 deletions(-)
>>
>> diff --git a/hw/pci.c b/hw/pci.c
>> index 5deaa04..9a7ff2d 100644
>> --- a/hw/pci.c
>> +++ b/hw/pci.c
>> @@ -2078,12 +2078,24 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id,
>> }
>> } else {
>> int i;
>> + uint32_t config_size = pci_config_size(pdev);
>
> This is actually slightly wrong: even for express
> devices, legacy capabilities can not spill out from
> the low 256 bytes: the extended config space has its
> own capability list always starting with the express
> capability at offset 256.
>
will just remove this checking & put it all in device-assignment.c
>> +
>> + /* ensure don't walk off end of config_map[] */
>> + if (offset> (config_size - size)) {
>
> I prefer not to have () around math here.
>
>
ok.
>> + fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
>> + "Attempt to add PCI capability 0x%x at offset 0x%x,"
>> + "size 0x%x, which exceeds emulated PCI config space 0x%x\n",
>> + pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
>> + PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
>> + cap_id, offset, size, config_size);
>> + return -EINVAL;
>> + }
>>
>> for (i = offset; i< offset + size; i++) {
>> if (pdev->config_map[i]) {
>> fprintf(stderr, "ERROR: %04x:%02x:%02x.%x "
>> - "Attempt to add PCI capability %x at offset "
>> - "%x overlaps existing capability %x at offset %x\n",
>> + "Attempt to add PCI capability 0x%x at offset "
>> + "0x%x overlaps existing capability 0x%x at offset 0x%x\n",
>> pci_find_domain(pdev->bus), pci_bus_num(pdev->bus),
>> PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn),
>> cap_id, offset, pdev->config_map[i], i);
next prev parent reply other threads:[~2011-07-21 15:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-20 23:46 [PATCH 0/2] pci: config space bounds check and correction Donald Dutile
2011-07-20 23:49 ` [PATCH 1/2] pci: bounds check offsets into config_map Donald Dutile
2011-07-21 8:11 ` Michael S. Tsirkin
2011-07-21 15:52 ` Don Dutile [this message]
2011-07-20 23:51 ` [PATCH 2/2] pci: correct pci config size default for cap version 2 endpoints Donald Dutile
2011-07-21 2:43 ` Alex Williamson
2011-07-21 15:52 ` Don Dutile
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E284B58.9020200@redhat.com \
--to=ddutile@redhat.com \
--cc=alex.williamson@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=mst@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox