* [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow
@ 2015-01-07 0:03 Alex Williamson
2015-01-07 3:06 ` Don Slutz
0 siblings, 1 reply; 3+ messages in thread
From: Alex Williamson @ 2015-01-07 0:03 UTC (permalink / raw)
To: qemu-devel; +Cc: Alex Williamson
We use an unsigned int when working with the PCI BAR size, which can
obviously overflow if the BAR is 4GB or larger. This needs to change
to an unsigned long. A similar issue is possible, though even more
unlikely, when mapping the region above an MSI-X table. The start of
the table must be below 4GB, but the end, and therefore the start of
the next mapping region, could still land at 4GB.
Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
---
hw/vfio/pci.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index b4e73d1..03790a8 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr)
static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
{
VFIOBAR *bar = &vdev->bars[nr];
- unsigned size = bar->region.size;
+ unsigned long size = bar->region.size;
char name[64];
uint32_t pci_bar;
uint8_t type;
@@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
}
if (vdev->msix && vdev->msix->table_bar == nr) {
- unsigned start;
+ unsigned long start;
start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
(vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow
2015-01-07 0:03 [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow Alex Williamson
@ 2015-01-07 3:06 ` Don Slutz
2015-01-07 3:39 ` Alex Williamson
0 siblings, 1 reply; 3+ messages in thread
From: Don Slutz @ 2015-01-07 3:06 UTC (permalink / raw)
To: Alex Williamson; +Cc: qemu-devel
On 01/06/15 19:03, Alex Williamson wrote:
> We use an unsigned int when working with the PCI BAR size, which can
> obviously overflow if the BAR is 4GB or larger. This needs to change
> to an unsigned long. A similar issue is possible, though even more
> unlikely, when mapping the region above an MSI-X table. The start of
> the table must be below 4GB, but the end, and therefore the start of
> the next mapping region, could still land at 4GB.
>
> Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> ---
>
> hw/vfio/pci.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index b4e73d1..03790a8 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr)
> static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> {
> VFIOBAR *bar = &vdev->bars[nr];
> - unsigned size = bar->region.size;
> + unsigned long size = bar->region.size;
On a 32bit build, this does not fix the issue.
-Don Slutz
> char name[64];
> uint32_t pci_bar;
> uint8_t type;
> @@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> }
>
> if (vdev->msix && vdev->msix->table_bar == nr) {
> - unsigned start;
> + unsigned long start;
>
> start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
> (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow
2015-01-07 3:06 ` Don Slutz
@ 2015-01-07 3:39 ` Alex Williamson
0 siblings, 0 replies; 3+ messages in thread
From: Alex Williamson @ 2015-01-07 3:39 UTC (permalink / raw)
To: Don Slutz; +Cc: qemu-devel
----- Original Message -----
> On 01/06/15 19:03, Alex Williamson wrote:
> > We use an unsigned int when working with the PCI BAR size, which can
> > obviously overflow if the BAR is 4GB or larger. This needs to change
> > to an unsigned long. A similar issue is possible, though even more
> > unlikely, when mapping the region above an MSI-X table. The start of
> > the table must be below 4GB, but the end, and therefore the start of
> > the next mapping region, could still land at 4GB.
> >
> > Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
> > Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
> > ---
> >
> > hw/vfio/pci.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> > index b4e73d1..03790a8 100644
> > --- a/hw/vfio/pci.c
> > +++ b/hw/vfio/pci.c
> > @@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int
> > nr)
> > static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> > {
> > VFIOBAR *bar = &vdev->bars[nr];
> > - unsigned size = bar->region.size;
> > + unsigned long size = bar->region.size;
>
> On a 32bit build, this does not fix the issue.
Very true. Thanks for the review,
Alex
> > char name[64];
> > uint32_t pci_bar;
> > uint8_t type;
> > @@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
> > }
> >
> > if (vdev->msix && vdev->msix->table_bar == nr) {
> > - unsigned start;
> > + unsigned long start;
> >
> > start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
> > (vdev->msix->entries *
> > PCI_MSIX_ENTRY_SIZE));
> >
> >
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-07 3:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-07 0:03 [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow Alex Williamson
2015-01-07 3:06 ` Don Slutz
2015-01-07 3:39 ` Alex Williamson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).