Typo: s/ait/ati/ On Thu, Jun 04, 2020 at 01:52:50AM +0530, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Add check to ensure 'address + size' is > within PCI configuration space.
Please include a CVE number for this security flaw if there is one. > > Reported-by: Ren Ding <rd...@gatech.edu> > Reported-by: Hanqing Zhao <hanq...@gatech.edu> > Reported-by: Yi Ren <c4t...@gmail.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> > --- > hw/display/ati.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > Update v2: add check to avoid OOB PCI configuration space access > -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html > > diff --git a/hw/display/ati.c b/hw/display/ati.c > index bda4a2d816..6671959e5d 100644 > --- a/hw/display/ati.c > +++ b/hw/display/ati.c > @@ -384,7 +384,10 @@ static uint64_t ati_mm_read(void *opaque, hwaddr addr, > unsigned int size) > val = s->regs.crtc_pitch; > break; > case 0xf00 ... 0xfff: > - val = pci_default_read_config(&s->dev, addr - 0xf00, size); > + addr = addr - 0xf00; > + if (addr + size <= 0xff) { > + val = pci_default_read_config(&s->dev, addr, size); > + } > break; > case CUR_OFFSET: > val = s->regs.cur_offset; > -- > 2.26.2 > Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
