On Wed, Feb 14, 2024 at 02:13:43PM +0900, Akihiko Odaki wrote: > The guest may write NumVFs greater than TotalVFs and that can lead > to buffer overflow in VF implementations. > > Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization > (SR/IOV)") > Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com> > --- > hw/pci/pcie_sriov.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c > index a1fe65f5d801..da209b7f47fd 100644 > --- a/hw/pci/pcie_sriov.c > +++ b/hw/pci/pcie_sriov.c > @@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev) > > assert(sriov_cap > 0); > num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF); > + if (num_vfs > pci_get_word(dev->config + sriov_cap + > PCI_SRIOV_TOTAL_VF)) { > + return; > + }
yes but with your change PCI_SRIOV_NUM_VF no longer reflects the number of registered VFs and that might lead to uninitialized data read which is not better :(. How about just forcing the PCI_SRIOV_NUM_VF register to be below PCI_SRIOV_TOTAL_VF at all times? > dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs); > > > -- > 2.43.0