aboutsummaryrefslogtreecommitdiff
path: root/hw/pci/pcie_sriov.c
diff options
context:
space:
mode:
authorAkihiko Odaki <akihiko.odaki@daynix.com>2024-02-28 20:33:13 +0900
committerMichael S. Tsirkin <mst@redhat.com>2024-03-12 17:56:55 -0400
commit6081b4243cd64dff1b2cf5b0c215c71e9d7e753b (patch)
tree103c03b0aa606b0c8d97e4b7b34ca1b60c3a0be1 /hw/pci/pcie_sriov.c
parent91bb64a8d2014fda33a81fcf0fce37340f0d3b0c (diff)
downloadqemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.zip
qemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.tar.gz
qemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.tar.bz2
pcie_sriov: Validate NumVFs
The guest may write NumVFs greater than TotalVFs and that can lead to buffer overflow in VF implementations. Cc: qemu-stable@nongnu.org Fixes: CVE-2024-26327 Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
Diffstat (limited to 'hw/pci/pcie_sriov.c')
-rw-r--r--hw/pci/pcie_sriov.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index a1fe65f..da209b7 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
assert(sriov_cap > 0);
num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+ if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+ return;
+ }
dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);