On 6/3/20 2:40 PM, P J P wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> While reading PCI configuration bytes, a guest may send an
> address towards the end of the configuration space. It may lead
> to an OOB access issue. Add check to ensure 'address + len' is
> within PCI configuration space.
>
> Reported-by: Ren Ding <rd...@gatech.edu>
> Reported-by: Hanqing Zhao <hanq...@gatech.edu>
> Reported-by: Yi Ren <c4t...@gmail.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> hw/pci/pci.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/hw/pci/pci.c b/hw/pci/pci.c
> index 70c66965f5..4429fa9401 100644
> --- a/hw/pci/pci.c
> +++ b/hw/pci/pci.c
> @@ -1385,7 +1385,9 @@ uint32_t pci_default_read_config(PCIDevice *d,
> ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) {
> pcie_sync_bridge_lnk(d);
> }
> - memcpy(&val, d->config + address, len);
> + if (address + len <= pci_config_size(d)) {
We don't want to hide/ignore earlier bugs, so IMO the caller should
check for access in range, and this function abort() as it should never
been called with such arguments.
> + memcpy(&val, d->config + address, len);
> + }
> return le32_to_cpu(val);
> }
>
>
