pcie_sriov: Validate NumVFs

The guest may write NumVFs greater than TotalVFs and that can lead to buffer overflow in VF implementations. Cc: qemu-stable@nongnu.org Fixes: CVE-2024-26327 Fixes: 7c0fa8dff811 ("pcie: Add support for Single Root I/O Virtualization (SR/IOV)") Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Message-Id: <20240228-reuse-v8-2-282660281e60@daynix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Sriram Yagnaraman <sriram.yagnaraman@ericsson.com> (cherry picked from commit 6081b4243cd64dff1b2cf5b0c215c71e9d7e753b) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
author: Akihiko Odaki <akihiko.odaki@daynix.com> 2024-02-28 20:33:13 +0900
committer: Michael Tokarev <mjt@tls.msk.ru> 2024-03-14 21:24:34 +0300
commit: 309051ac4028547d8d7647262e79d16c667976fe (patch)
tree: 2009e711f9fc73fd1526aee5c2447da2eefcb03b /hw/pci
parent: 3f7892be2404335b1ff94902727612e4df47ae58 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/hw/pci/pcie_sriov.c b/hw/pci/pcie_sriov.c
index 3703d250f0..0d58e4db43 100644
--- a/hw/pci/pcie_sriov.c
+++ b/hw/pci/pcie_sriov.c
@@ -176,6 +176,9 @@ static void register_vfs(PCIDevice *dev)
 
     assert(sriov_cap > 0);
     num_vfs = pci_get_word(dev->config + sriov_cap + PCI_SRIOV_NUM_VF);
+    if (num_vfs > pci_get_word(dev->config + sriov_cap + PCI_SRIOV_TOTAL_VF)) {
+        return;
+    }
 
     dev->exp.sriov_pf.vf = g_new(PCIDevice *, num_vfs);
author	Akihiko Odaki <akihiko.odaki@daynix.com>	2024-02-28 20:33:13 +0900
committer	Michael Tokarev <mjt@tls.msk.ru>	2024-03-14 21:24:34 +0300
commit	309051ac4028547d8d7647262e79d16c667976fe (patch)
tree	2009e711f9fc73fd1526aee5c2447da2eefcb03b /hw/pci
parent	3f7892be2404335b1ff94902727612e4df47ae58 (diff)