Skip to main content

Browse the archive

Revision 98f3488c1b6090024299f8d6362aa6aac03fe26d authored by Akihiko Odaki on 28 February 2024, 11:33:12 UTC, committed by Michael Tokarev on 13 March 2024, 18:52:34 UTC 
hw/nvme: Use pcie_sriov_num_vfs()
 
nvme_sriov_pre_write_ctrl() used to directly inspect SR-IOV
configurations to know the number of VFs being disabled due to SR-IOV
configuration writes, but the logic was flawed and resulted in
out-of-bound memory access.

It assumed PCI_SRIOV_NUM_VF always has the number of currently enabled
VFs, but it actually doesn't in the following cases:
- PCI_SRIOV_NUM_VF has been set but PCI_SRIOV_CTRL_VFE has never been.
- PCI_SRIOV_NUM_VF was written after PCI_SRIOV_CTRL_VFE was set.
- VFs were only partially enabled because of realization failure.

It is a responsibility of pcie_sriov to interpret SR-IOV configurations
and pcie_sriov does it correctly, so use pcie_sriov_num_vfs(), which it
provides, to get the number of enabled VFs before and after SR-IOV
configuration writes.

Cc: qemu-stable@nongnu.org
Fixes: CVE-2024-26328
Fixes: 11871f53ef8e ("hw/nvme: Add support for the Virtualization Management command")
Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com>
Message-Id: <20240228-reuse-v8-1-282660281e60@daynix.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 91bb64a8d2014fda33a81fcf0fce37340f0d3b0c)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
1 parent 3097bcb
History
File Mode Size
.github
.gitlab
.gitlab-ci.d
accel
audio
authz
backends
block
bsd-user
chardev
common-user
configs
contrib
crypto
disas
docs
dump
ebpf
fpu
fsdev
gdb-xml
gdbstub
host
hw
include
io
libdecnumber
linux-headers
linux-user
migration
monitor
nbd
net
pc-bios
plugins
po
python
qapi
qga
qobject
qom
replay
roms
scripts
scsi
semihosting
stats
storage-daemon
stubs
subprojects
system
target
tcg
tests
tools
trace
ui
util
.dir-locals.el -rw-r--r-- 75 bytes
.editorconfig -rw-r--r-- 951 bytes
.exrc -rw-r--r-- 220 bytes
.gdbinit -rw-r--r-- 326 bytes
.git-blame-ignore-revs -rw-r--r-- 474 bytes
.gitattributes -rw-r--r-- 100 bytes
.gitignore -rw-r--r-- 194 bytes
.gitlab-ci.yml -rw-r--r-- 884 bytes
.gitmodules -rw-r--r-- 1.5 KB
.gitpublish -rw-r--r-- 1.6 KB
.mailmap -rw-r--r-- 10.7 KB
.patchew.yml -rw-r--r-- 8.3 KB
.readthedocs.yml -rw-r--r-- 621 bytes
.travis.yml -rw-r--r-- 7.6 KB
COPYING -rw-r--r-- 17.6 KB
COPYING.LIB -rw-r--r-- 25.9 KB
Kconfig -rw-r--r-- 132 bytes
Kconfig.host -rw-r--r-- 677 bytes
LICENSE -rw-r--r-- 1.1 KB
MAINTAINERS -rw-r--r-- 95.8 KB
Makefile -rw-r--r-- 11.4 KB
README.rst -rw-r--r-- 5.4 KB
VERSION -rw-r--r-- 6 bytes
block.c -rw-r--r-- 254.7 KB
blockdev-nbd.c -rw-r--r-- 7.6 KB
blockdev.c -rw-r--r-- 113.9 KB
blockjob.c -rw-r--r-- 18.1 KB
configure -rwxr-xr-x 56.2 KB
cpu-common.c -rw-r--r-- 12.2 KB
cpu-target.c -rw-r--r-- 11.2 KB
event-loop-base.c -rw-r--r-- 4.0 KB
gitdm.config -rw-r--r-- 1.9 KB
hmp-commands-info.hx -rw-r--r-- 21.7 KB
hmp-commands.hx -rw-r--r-- 54.8 KB
iothread.c -rw-r--r-- 11.6 KB
job-qmp.c -rw-r--r-- 4.3 KB
job.c -rw-r--r-- 32.4 KB
memory_ldst.c.inc -rw-r--r-- 15.7 KB
meson.build -rw-r--r-- 158.8 KB
meson_options.txt -rw-r--r-- 18.5 KB
module-common.c -rw-r--r-- 113 bytes
os-posix.c -rw-r--r-- 7.6 KB
os-win32.c -rw-r--r-- 2.0 KB
page-vary-common.c -rw-r--r-- 1.6 KB
page-vary-target.c -rw-r--r-- 1.2 KB
pythondeps.toml -rw-r--r-- 1.5 KB
qemu-bridge-helper.c -rw-r--r-- 11.9 KB
qemu-edid.c -rw-r--r-- 3.7 KB
qemu-img-cmds.hx -rw-r--r-- 5.5 KB
qemu-img.c -rw-r--r-- 166.0 KB
qemu-io-cmds.c -rw-r--r-- 72.3 KB
qemu-io.c -rw-r--r-- 17.9 KB
qemu-keymap.c -rw-r--r-- 7.6 KB
qemu-nbd.c -rw-r--r-- 39.7 KB
qemu-options.hx -rw-r--r-- 250.2 KB
qemu.nsi -rw-r--r-- 6.7 KB
qemu.sasl -rw-r--r-- 1.7 KB
replication.c -rw-r--r-- 2.5 KB
trace-events -rw-r--r-- 2.4 KB
version.rc -rw-r--r-- 867 bytes

README.rst

back to top