Skip to content
Permalink
Browse files Browse the repository at this point in the history
hv: validate input for dmar_free_irte function
 Malicious input 'index' may trigger buffer
 overflow on array 'irte_alloc_bitmap[]'.

 This patch validate that 'index' shall be
 less than 'CONFIG_MAX_IR_ENTRIES' and also
 remove unnecessary check on 'index' in
 'ptirq_free_irte()' function with this fix.

Tracked-On: #6132
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
  • Loading branch information
yonghuah authored and wenlingz committed Jun 8, 2021
1 parent 4acaeb9 commit 25c0e38
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 10 deletions.
16 changes: 7 additions & 9 deletions hypervisor/arch/x86/guest/assign.c
Expand Up @@ -72,16 +72,14 @@ static void ptirq_free_irte(const struct ptirq_remapping_info *entry)
{
struct intr_source intr_src;

if (entry->irte_idx < CONFIG_MAX_IR_ENTRIES) {
if (entry->intr_type == PTDEV_INTR_MSI) {
intr_src.is_msi = true;
intr_src.src.msi.value = entry->phys_sid.msi_id.bdf;
} else {
intr_src.is_msi = false;
intr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(entry->allocated_pirq);
}
dmar_free_irte(&intr_src, entry->irte_idx);
if (entry->intr_type == PTDEV_INTR_MSI) {
intr_src.is_msi = true;
intr_src.src.msi.value = entry->phys_sid.msi_id.bdf;
} else {
intr_src.is_msi = false;
intr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(entry->allocated_pirq);
}
dmar_free_irte(&intr_src, entry->irte_idx);
}

/*
Expand Down
2 changes: 1 addition & 1 deletion hypervisor/arch/x86/vtd.c
Expand Up @@ -1398,7 +1398,7 @@ void dmar_free_irte(const struct intr_source *intr_src, uint16_t index)
dmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);
}

if (is_dmar_unit_valid(dmar_unit, sid)) {
if (is_dmar_unit_valid(dmar_unit, sid) && (index < CONFIG_MAX_IR_ENTRIES)) {
ir_table = (union dmar_ir_entry *)hpa2hva(dmar_unit->ir_table_addr);
ir_entry = ir_table + index;
ir_entry->bits.remap.present = 0x0UL;
Expand Down

0 comments on commit 25c0e38

Please sign in to comment.