On Thu, Jun 04, 2020 at 01:52:51AM +0530, P J P wrote: > From: Prasad J Pandit <p...@fedoraproject.org> > > While reading PCI configuration bytes, a guest may send an > address towards the end of the configuration space. It may lead > to an OOB access issue. Assert that 'address + len' is within > PCI configuration space. > > Suggested-by: Philippe Mathieu-Daudé <phi...@redhat.com> > Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
My understanding is that this can't really happen normally, this is more an assert in case some pci host devices are buggy, as is the case of alt-vga. Right? Pls clarify commit log so it's obvious this is defence in depth. > --- > hw/pci/pci.c | 2 ++ > 1 file changed, 2 insertions(+) > > Update v2: assert PCI configuration access is within bounds > -> https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00711.html > > diff --git a/hw/pci/pci.c b/hw/pci/pci.c > index 70c66965f5..173bec4fd5 100644 > --- a/hw/pci/pci.c > +++ b/hw/pci/pci.c > @@ -1381,6 +1381,8 @@ uint32_t pci_default_read_config(PCIDevice *d, > { > uint32_t val = 0; > > + assert(address + len <= pci_config_size(d)); > + > if (pci_is_express_downstream_port(d) && > ranges_overlap(address, len, d->exp.exp_cap + PCI_EXP_LNKSTA, 2)) { > pcie_sync_bridge_lnk(d); > -- > 2.26.2