Skip to content

Commit

Permalink
pcie_sriov: Validate NumVFs
Browse files Browse the repository at this point in the history 
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26327
Fixes: 7c0fa8d ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com>
(cherry picked from commit 6081b42)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
  • Loading branch information
@akihikodaki
akihikodaki authored and Michael Tokarev committed Mar 13, 2024
1 parent c6a628d commit fb2514e
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions hw/pci/pcie_sriov.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)

assert(sriov_cap > 0);
num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
return;
}

dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);

Expand Down

0 comments on commit fb2514e

Please sign in to comment.