From: Aditya Gupta <[email protected]> As reported in https://gitlab.com/qemu-project/qemu/-/work_items/3334, callers of 'pci_host_config_{read,write}_common' can pass length as 8, causing an assert failure
The original issue with pnv_phb3 triggering the assert was fixed in a previous commit Instead of asserting on invalid length, check if the length is valid (<=4), otherwise return (with the failure error code in read) Reported-by: Zexiang Zhang <[email protected]> Signed-off-by: Aditya Gupta <[email protected]> Reviewed-by: Michael S. Tsirkin <[email protected]> Signed-off-by: Michael S. Tsirkin <[email protected]> Message-Id: <[email protected]> --- hw/pci/pci_host.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/hw/pci/pci_host.c b/hw/pci/pci_host.c index 91e3885c7f..2a7fdfa563 100644 --- a/hw/pci/pci_host.c +++ b/hw/pci/pci_host.c @@ -81,7 +81,12 @@ void pci_host_config_write_common(PCIDevice *pci_dev, uint32_t addr, return; } - assert(len <= 4); + if (len > 4) { + PCI_DPRINTF("%s: invalid length access: addr " HWADDR_FMT_plx " \ + len %d val %"PRIx32"\n", __func__, addr, len, val); + return; + } + /* non-zero functions are only exposed when function 0 is present, * allowing direct removal of unexposed functions. */ @@ -106,7 +111,12 @@ uint32_t pci_host_config_read_common(PCIDevice *pci_dev, uint32_t addr, return ~0x0; } - assert(len <= 4); + if (len > 4) { + PCI_DPRINTF("%s: invalid length access: addr " HWADDR_FMT_plx " \ + len %d val %"PRIx32"\n", __func__, addr, len, val); + return ~0x0; + } + /* non-zero functions are only exposed when function 0 is present, * allowing direct removal of unexposed functions. */ -- MST
