SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

hw/i386/intel_iommu: Fix out-of-bounds access on guest IRT

Browse Source 
vtd_irte_get failed to check the index against the configured table
size, causing an out-of-bounds access on guest memory and potentially
misinterpreting the result.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-Id: <4b15b728-bdfe-3bbe-3a5c-ca3baeef3c5c@siemens.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
This commit is contained in:
Jan Kiszka 2020-03-10 18:42:11 +01:00 committed by Paolo Bonzini
parent 6c94b95274
commit 3c507c26ec
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
hw/i386/intel_iommu.c
View File

@ -3094,6 +3094,12 @@ static int vtd_irte_get(IntelIOMMUState *iommu, uint16_t index,
uint16_t mask, source_id; uint16_t mask, source_id;
uint8_t bus, bus_max, bus_min; uint8_t bus, bus_max, bus_min;
if (index >= iommu->intr_size) {
error_report_once("%s: index too large: ind=0x%x",
__func__, index);
return -VTD_FR_IR_INDEX_OVER;
}
addr = iommu->intr_root + index * sizeof(*entry); addr = iommu->intr_root + index * sizeof(*entry);
if (dma_memory_read(&address_space_memory, addr, entry, if (dma_memory_read(&address_space_memory, addr, entry,
sizeof(*entry))) { sizeof(*entry))) {