vfio-pci: Further fix BAR size overflow

In an analysis by Laszlo, the resulting type of our calculation for the end of the MSI-X table, and thus the start of memory after the table, is uint32_t. We're therefore not correctly preventing the corner case overflow that we intended to fix here where a BAR >=4G could place the MSI-X table to end exactly at the 4G boundary. The MSI-X table offset is defined by the hardware spec to 32bits, so we simply use a cast rather than changing data structure types. This scenario is purely theoretically, typically the MSI-X table is located at the front of the BAR. Reported-by: Laszlo Ersek <lersek@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com> Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
qemu · Apr 28, 2015 · 07ceaf9 · 07ceaf9
1 parent 84cbd63
commit 07ceaf9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
@@ -2400,7 +2400,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr)
     if (vdev->msix && vdev->msix->table_bar == nr) {
         uint64_t start;
 
-        start = HOST_PAGE_ALIGN(vdev->msix->table_offset +
+        start = HOST_PAGE_ALIGN((uint64_t)vdev->msix->table_offset +
                                 (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
 
         size = start < bar->region.size ? bar->region.size - start : 0;