aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsaku Yamahata <yamahata@valinux.co.jp>2011-07-29 10:01:43 +0900
committerMichael S. Tsirkin <mst@redhat.com>2011-07-29 08:01:52 +0300
commit43e86c8f5b6d9f6279e20dede4e1f7829bdc43b7 (patch)
tree4221090f4a8bd3aaa68a3ad7f464ceda4dc21634
parent845f85fa1597c72609bd10a37b9586b445c13d49 (diff)
pcie_host: verify mmcfg address range
For a conventional pci device behind a pcie-to-pci bridge, pci_host handlers get confused by an out of bounds access in the range [256, 4K). Check for such an access and make it have no effect. Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-rw-r--r--hw/pcie_host.c28
1 files changed, 22 insertions, 6 deletions
diff --git a/hw/pcie_host.c b/hw/pcie_host.c
index f0b3d13aae..f9fea3d918 100644
--- a/hw/pcie_host.c
+++ b/hw/pcie_host.c
@@ -56,23 +56,39 @@ static void pcie_mmcfg_data_write(PCIBus *s,
uint32_t mmcfg_addr, uint32_t val, int len)
{
PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
+ uint32_t addr;
+ uint32_t limit;
if (!pci_dev) {
return;
}
- pci_host_config_write_common(pci_dev, PCIE_MMCFG_CONFOFFSET(mmcfg_addr),
- pci_config_size(pci_dev), val, len);
+ addr = PCIE_MMCFG_CONFOFFSET(mmcfg_addr);
+ limit = pci_config_size(pci_dev);
+ if (limit <= addr) {
+ /* conventional pci device can be behind pcie-to-pci bridge.
+ 256 <= addr < 4K has no effects. */
+ return;
+ }
+ pci_host_config_write_common(pci_dev, addr, limit, val, len);
}
-static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t addr, int len)
+static uint32_t pcie_mmcfg_data_read(PCIBus *s, uint32_t mmcfg_addr, int len)
{
- PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, addr);
+ PCIDevice *pci_dev = pcie_dev_find_by_mmcfg_addr(s, mmcfg_addr);
+ uint32_t addr;
+ uint32_t limit;
if (!pci_dev) {
return ~0x0;
}
- return pci_host_config_read_common(pci_dev, PCIE_MMCFG_CONFOFFSET(addr),
- pci_config_size(pci_dev), len);
+ addr = PCIE_MMCFG_CONFOFFSET(mmcfg_addr);
+ limit = pci_config_size(pci_dev);
+ if (limit <= addr) {
+ /* conventional pci device can be behind pcie-to-pci bridge.
+ 256 <= addr < 4K has no effects. */
+ return ~0x0;
+ }
+ return pci_host_config_read_common(pci_dev, addr, limit, len);
}
static void pcie_mmcfg_data_writeb(void *opaque,