> -----Original Message----- > From: Akihiko Odaki <[email protected]> > Sent: Wednesday, 28 February 2024 12:33 > To: Philippe Mathieu-Daudé <[email protected]>; Michael S. Tsirkin > <[email protected]>; Marcel Apfelbaum <[email protected]>; > Alex Williamson <[email protected]>; Cédric Le Goater > <[email protected]>; Paolo Bonzini <[email protected]>; Daniel P. > Berrangé <[email protected]>; Eduardo Habkost > <[email protected]>; Sriram Yagnaraman > <[email protected]>; Jason Wang <[email protected]>; > Keith Busch <[email protected]>; Klaus Jensen <[email protected]>; Markus > Armbruster <[email protected]> > Cc: [email protected]; [email protected]; Akihiko Odaki > <[email protected]>; [email protected] > Subject: [PATCH v8 02/15] pcie_sriov: Validate NumVFs > > The guest may write NumVFs greater than TotalVFs and that can lead to buffer > overflow in VF implementations. > > Cc: [email protected] > Fixes: CVE-2024-26327 > Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization > (SR/IOV)") > Signed-off-by: Akihiko Odaki <[email protected]> > --- > hw/pci/pcie_sriov.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c index > a1fe65f5d801..da209b7f47fd 100644 > --- a/hw/pci/pcie_sriov.c > +++ b/hw/pci/pcie_sriov.c > @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) > > assert(sriov_cap > 0); > num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF); > + if (num_vfs > pci_get_word(dev->config + sriov_cap + > PCI_SRIOV_TOTAL_VF)) { > + return; > + } > > dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs); > > > -- > 2.43.2
Assuming change of my mail address from [email protected] to @ericsson.com is accepted, Reviewed-by: Sriram Yagnaraman <[email protected]>
