Skip to content

Commit

Permalink
pcie_sriov: Validate NumVFs
Browse files Browse the repository at this point in the history 
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8d ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
(cherry picked from commit 6081b42)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
  • Loading branch information
@akihikodaki
akihikodaki authored and Michael Tokarev committed Mar 13, 2024
1 parent 98f3488 commit 313e746
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions hw/pci/pcie_sriov.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)

assert(sriov_cap > 0);
num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
return;
}

dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);

Expand Down

0 comments on commit 313e746

Please sign in to comment.