diff options
author | Akihiko Odaki <akihiko.odaki@daynix.com> | 2024-02-28 20:33:13 +0900 |
---|---|---|
committer | Michael S. Tsirkin <mst@redhat.com> | 2024-03-12 17:56:55 -0400 |
commit | 6081b4243cd64dff1b2cf5b0c215c71e9d7e753b (patch) | |
tree | 103c03b0aa606b0c8d97e4b7b34ca1b60c3a0be1 /hw/pci/pcie_sriov.c | |
parent | 91bb64a8d2014fda33a81fcf0fce37340f0d3b0c (diff) | |
download | qemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.zip qemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.tar.gz qemu-6081b4243cd64dff1b2cf5b0c215c71e9d7e753b.tar.bz2 |
pcie_sriov: Validate NumVFs
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.
Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
Diffstat (limited to 'hw/pci/pcie_sriov.c')
-rw-r--r-- | hw/pci/pcie_sriov.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c index a1fe65f..da209b7 100644 --- a/hw/pci/pcie_sriov.c +++ b/hw/pci/pcie_sriov.c @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) assert(sriov_cap > 0); num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF); + if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) { + return; + } dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs); |