From: Prasad J Pandit <p...@fedoraproject.org> While reading PCI configuration bytes, a guest may send an address towards the end of the configuration space. It may lead to an OOB access issue. Assert that 'address + len' is within PCI configuration space.
Suggested-by: Philippe Mathieu-Daudé <phi...@redhat.com> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> --- hw/pci/pci.c | 2 ++ 1 file changed, 2 insertions(+) Update v2: assert PCI configuration access is within bounds -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html diff --git a/hw/pci/pci.c b/hw/pci/pci.c index 70c66965f5..173bec4fd5 100644 --- a/hw/pci/pci.c +++ b/hw/pci/pci.c @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, { uint32_t val = 0; + assert(address + len <= pci_config_size(d)); + if (pci_is_express_downstream_port(d) && ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { pcie_sync_bridge_lnk(d); -- 2.26.2
