diff options
| author | Jan Kiszka <jan.kiszka@siemens.com> | 2020-03-10 18:42:11 +0100 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2020-03-16 23:02:22 +0100 |
| commit | 3c507c26ecda8f072c80338592d7894543448fe4 (patch) | |
| tree | 4438a2dc484e7f8a4ba6ebfefff353ed937d5583 /hw/i386/intel_iommu.c | |
| parent | 6c94b95274b7a602243f8ab5a9c3e54d4f5acc6b (diff) | |
| download | qemu-3c507c26ecda8f072c80338592d7894543448fe4.zip qemu-3c507c26ecda8f072c80338592d7894543448fe4.tar.gz qemu-3c507c26ecda8f072c80338592d7894543448fe4.tar.bz2 | |
hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT
vtd_irte_get failed to check the index against the configured table
size, causing an out-of-bounds access on guest memory and potentially
misinterpreting the result.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-Id: <4b15b728-bdfe-3bbe-3a5c-ca3baeef3c5c@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'hw/i386/intel_iommu.c')
| -rw-r--r-- | hw/i386/intel_iommu.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/hw/i386/intel_iommu.c b/hw/i386/intel_iommu.c index 204b684..df7ad25 100644 --- a/hw/i386/intel_iommu.c +++ b/hw/i386/intel_iommu.c @@ -3094,6 +3094,12 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index, uint16_t mask, source_id; uint8_t bus, bus_max, bus_min; + if (index >= iommu->intr_size) { + error_report_once("%s: index too large: ind=0x%x", + __func__, index); + return -VTD_FR_IR_INDEX_OVER; + } + addr = iommu->intr_root + index * sizeof(*entry); if (dma_memory_read(&address_space_memory, addr, entry, sizeof(*entry))) { |