On Wed, Feb 14, 2024 at 02:13:43PM +0900, Akihiko Odaki wrote:
> The guest may write NumVFs greater than TotalVFs and that can lead
> to buffer overflow in VF implementations.
>
> Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization
> (SR/IOV)")
> Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
> ---
> hw/pci/pcie_sriov.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
> index a1fe65f5d801..da209b7f47fd 100644
> --- a/hw/pci/pcie_sriov.c
> +++ b/hw/pci/pcie_sriov.c
> @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
>
> assert(sriov_cap > 0);
> num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
> + if (num_vfs > pci_get_word(dev->config + sriov_cap +
> PCI_SRIOV_TOTAL_VF)) {
> + return;
> + }
yes but with your change PCI_SRIOV_NUM_VF no longer reflects the
number of registered VFs and that might lead to uninitialized
data read which is not better :(.
How about just forcing the PCI_SRIOV_NUM_VF register to be
below PCI_SRIOV_TOTAL_VF at all times?
> dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
>
>
> --
> 2.43.0
