Bounds check to avoid walking off config_map[] and corrupting what is after it.
Signed-off-by: Donald Dutile <[email protected]> cc: Alex Williamson <[email protected]> cc: Michael S. Tsirkin <[email protected]> --- hw/pci.c | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/hw/pci.c b/hw/pci.c index 5deaa04..9a7ff2d 100644 --- a/hw/pci.c +++ b/hw/pci.c @@ -2078,12 +2078,24 @@ int pci_add_capability(PCIDevice *pdev, uint8_t cap_id, } } else { int i; + uint32_t config_size = pci_config_size(pdev); + + /* ensure don't walk off end of config_map[] */ + if (offset > (config_size - size)) { + fprintf(stderr, "ERROR: %04x:%02x:%02x.%x " + "Attempt to add PCI capability 0x%x at offset 0x%x," + "size 0x%x, which exceeds emulated PCI config space 0x%x\n", + pci_find_domain(pdev->bus), pci_bus_num(pdev->bus), + PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn), + cap_id, offset, size, config_size); + return -EINVAL; + } for (i = offset; i < offset + size; i++) { if (pdev->config_map[i]) { fprintf(stderr, "ERROR: %04x:%02x:%02x.%x " - "Attempt to add PCI capability %x at offset " - "%x overlaps existing capability %x at offset %x\n", + "Attempt to add PCI capability 0x%x at offset " + "0x%x overlaps existing capability 0x%x at offset 0x%x\n", pci_find_domain(pdev->bus), pci_bus_num(pdev->bus), PCI_SLOT(pdev->devfn), PCI_FUNC(pdev->devfn), cap_id, offset, pdev->config_map[i], i); -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
