From: Prasad J Pandit <p...@fedoraproject.org>
While reading PCI configuration bytes, a guest may send an
address towards the end of the configuration space. It may lead
to an OOB access issue. Add check to ensure 'address + len' is
within PCI configuration space.
Reported-by: Ren Ding <rd...@gatech.edu>
Reported-by: Hanqing Zhao <hanq...@gatech.edu>
Reported-by: Yi Ren <c4t...@gmail.com>
Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
---
hw/pci/pci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hw/pci/pci.c b/hw/pci/pci.c
index 70c66965f5..4429fa9401 100644
--- a/hw/pci/pci.c
+++ b/hw/pci/pci.c
@@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
pcie_sync_bridge_lnk(d);
}
- memcpy(&val, d->config + address, len);
+ if (address + len <= pci_config_size(d)) {
+ memcpy(&val, d->config + address, len);
+ }
return le32_to_cpu(val);
}
--
2.26.2
