14.02.2024 08:13, Akihiko Odaki wrote:
The guest may write NumVFs greater than TotalVFs and that can lead
to buffer overflow in VF implementations.

This seems to be stable-worthy (Cc'd), and maybe even CVE-worthy?

Thanks,

/mjt

Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization 
(SR/IOV)")
Signed-off-by: Akihiko Odaki <akihiko.od...@daynix.com>
---
  hw/pci/pcie_sriov.c | 3 +++
  1 file changed, 3 insertions(+)

diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index a1fe65f5d801..da209b7f47fd 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
assert(sriov_cap > 0);
      num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+        return;
+    }
dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);


Reply via email to