|
| From: | Akihiko Odaki |
| Subject: | Re: [PATCH v4 5/9] pcie_sriov: Validate NumVFs |
| Date: | Wed, 14 Feb 2024 23:54:08 +0900 |
| User-agent: | Mozilla Thunderbird |
On 2024/02/14 17:58, Michael Tokarev wrote:
14.02.2024 08:13, Akihiko Odaki wrote:The guest may write NumVFs greater than TotalVFs and that can lead to buffer overflow in VF implementations.This seems to be stable-worthy (Cc'd), and maybe even CVE-worthy?
Perhaps so. The scope of the bug is limited to emulated SR-IOV devices, and I think nobody use them except for development, but it may be still nice to have a CVE.
Can anyone help assign a CVE? I don't know the procedure. Regards, Akihiko Odaki
Thanks, /mjtFixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)")Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> --- hw/pci/pcie_sriov.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c index a1fe65f5d801..da209b7f47fd 100644 --- a/hw/pci/pcie_sriov.c +++ b/hw/pci/pcie_sriov.c @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) assert(sriov_cap > 0); num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);+ if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {+ return; + } dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
| [Prev in Thread] | Current Thread | [Next in Thread] |