On 6/3/20 2:40 PM, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + len' is > within PCI configuration space. > > Reported-by: Ren Ding <rd...@gatech.edu> > Reported-by: Hanqing Zhao <hanq...@gatech.edu> > Reported-by: Yi Ren <c4t...@gmail.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/pci/pci.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..4429fa9401 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d, > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > } > - memcpy(&val, d->config + address, len); > + if (address + len <= pci_config_size(d)) {
We don't want to hide/ignore earlier bugs, so IMO the caller should check for access in range, and this function abort() as it should never been called with such arguments. > + memcpy(&val, d->config + address, len); > + } > return le32_to_cpu(val); > } > >