tools/libs/light: fix BAR memory address truncation

Jiqian Chen · andyhhp · commit 832ecbff8ec4 · 2025-10-24T13:23:01.000+01:00
64-bit BAR memory address is truncated when removing a passthrough pci device from guest since it uses "unsigned int". So, change to use 64-bit type to fix this problem. This is XSA-476 / CVE-2025-58149. Fixes: b0a1af6 ("libxenlight: implement pci passthrough") Signed-off-by: Jiqian Chen <Jiqian.Chen@amd.com> Release-Acked-by: Oleksii Kurochko <oleksii.kurochko@gmail.com> Reviewed-by: Juergen Gross <jgross@suse.com> Acked-by: Anthony PERARD <anthony.perard@vates.tech> (cherry picked from commit 421432b)
diff --git a/tools/libs/light/libxl_pci.c b/tools/libs/light/libxl_pci.c
@@ -2168,7 +2168,7 @@ static void pci_remove_detached(libxl__egc *egc,
 {
     STATE_AO_GC(prs->aodev->ao);
     libxl_ctx *ctx = libxl__gc_owner(gc);
-    unsigned int start = 0, end = 0, flags = 0, size = 0;
+    uint64_t start = 0, end = 0, flags = 0, size = 0;
     int  irq = 0, i, stubdomid = 0;
     const char *sysfs_path;
     FILE *f;
@@ -2198,7 +2198,8 @@ static void pci_remove_detached(libxl__egc *egc,
     }
 
     for (i = 0; i < PROC_PCI_NUM_RESOURCES; i++) {
-        if (fscanf(f, "0x%x 0x%x 0x%x\n", &start, &end, &flags) != 3)
+        if (fscanf(f, "0x%"SCNx64" 0x%"SCNx64" 0x%"SCNx64"\n",
+                   &start, &end, &flags) != 3)
             continue;
         size = end - start + 1;
         if (start) {
@@ -2207,7 +2208,7 @@ static void pci_remove_detached(libxl__egc *egc,
                                                  size, 0);
                 if (rc < 0)
                     LOGED(ERROR, domid,
-                          "xc_domain_ioport_permission error 0x%x/0x%x",
+                          "xc_domain_ioport_permission error %#"PRIx64"/%#"PRIx64,
                           start,
                           size);
             } else {
@@ -2217,7 +2218,7 @@ static void pci_remove_detached(libxl__egc *egc,
                                                 0);
                 if (rc < 0)
                     LOGED(ERROR, domid,
-                          "xc_domain_iomem_permission error 0x%x/0x%x",
+                          "xc_domain_iomem_permission error %#"PRIx64"/%#"PRIx64,
                           start,
                           size);
             }
