qemu-kvm/kvm-hw-vfio-pci-quirks-Sanitize-capability-pointer.patch
Miroslav Rezanina 42a945317b * Mon Jul 17 2023 Miroslav Rezanina <mrezanin@redhat.com> - 8.0.0-8
- kvm-virtio-iommu-Fix-64kB-host-page-size-VFIO-device-ass.patch [bz#2211609 bz#2211634]
- kvm-virtio-iommu-Rework-the-traces-in-virtio_iommu_set_p.patch [bz#2211609 bz#2211634]
- kvm-vfio-pci-add-support-for-VF-token.patch [bz#2192818]
- kvm-vfio-migration-Skip-log_sync-during-migration-SETUP-.patch [bz#2192818]
- kvm-vfio-pci-Static-Resizable-BAR-capability.patch [bz#2192818]
- kvm-vfio-pci-Fix-a-use-after-free-issue.patch [bz#2192818]
- kvm-util-vfio-helpers-Use-g_file_read_link.patch [bz#2192818]
- kvm-migration-Make-all-functions-check-have-the-same-for.patch [bz#2192818]
- kvm-migration-Move-migration_properties-to-options.c.patch [bz#2192818]
- kvm-migration-Add-switchover-ack-capability.patch [bz#2192818]
- kvm-migration-Implement-switchover-ack-logic.patch [bz#2192818]
- kvm-migration-Enable-switchover-ack-capability.patch [bz#2192818]
- kvm-vfio-migration-Refactor-vfio_save_block-to-return-sa.patch [bz#2192818]
- kvm-vfio-migration-Store-VFIO-migration-flags-in-VFIOMig.patch [bz#2192818]
- kvm-vfio-migration-Add-VFIO-migration-pre-copy-support.patch [bz#2192818]
- kvm-vfio-migration-Add-support-for-switchover-ack-capabi.patch [bz#2192818]
- kvm-vfio-Implement-a-common-device-info-helper.patch [bz#2192818]
- kvm-hw-vfio-pci-quirks-Support-alternate-offset-for-GPUD.patch [bz#2192818]
- kvm-vfio-pci-Call-vfio_prepare_kvm_msi_virq_batch-in-MSI.patch [bz#2192818]
- kvm-vfio-migration-Reset-bytes_transferred-properly.patch [bz#2192818]
- kvm-vfio-migration-Make-VFIO-migration-non-experimental.patch [bz#2192818]
- kvm-vfio-pci-Fix-a-segfault-in-vfio_realize.patch [bz#2192818]
- kvm-vfio-pci-Free-leaked-timer-in-vfio_realize-error-pat.patch [bz#2192818]
- kvm-hw-vfio-pci-quirks-Sanitize-capability-pointer.patch [bz#2192818]
- kvm-vfio-pci-Disable-INTx-in-vfio_realize-error-path.patch [bz#2192818]
- kvm-vfio-migration-Change-vIOMMU-blocker-from-global-to-.patch [bz#2192818]
- kvm-vfio-migration-Free-resources-when-vfio_migration_re.patch [bz#2192818]
- kvm-vfio-migration-Remove-print-of-Migration-disabled.patch [bz#2192818]
- kvm-vfio-migration-Return-bool-type-for-vfio_migration_r.patch [bz#2192818]
- kvm-vfio-Fix-null-pointer-dereference-bug-in-vfio_bars_f.patch [bz#2192818]
- kvm-pc-bios-s390-ccw-Makefile-Use-z-noexecstack-to-silen.patch [bz#2220866]
- kvm-pc-bios-s390-ccw-Fix-indentation-in-start.S.patch [bz#2220866]
- kvm-pc-bios-s390-ccw-Provide-space-for-initial-stack-fra.patch [bz#2220866]
- kvm-pc-bios-s390-ccw-Don-t-use-__bss_start-with-the-larl.patch [bz#2220866]
- kvm-ui-Fix-pixel-colour-channel-order-for-PNG-screenshot.patch [bz#2222579]
- kvm-block-blkio-fix-module_block.py-parsing.patch [bz#2213317]
- kvm-Fix-virtio-blk-vhost-vdpa-typo-in-spec-file.patch [bz#2213317]
- Resolves: bz#2211609
  (With virtio-iommu and vfio-pci, qemu reports "warning: virtio-iommu page mask 0xfffffffffffff000 does not match 0x40201000")
- Resolves: bz#2211634
  ([aarch64] With virtio-iommu and vfio-pci, qemu coredump when host using kernel-64k package)
- Resolves: bz#2192818
  ([VFIO LM] Live migration)
- Resolves: bz#2220866
  (Misaligned symbol for s390-ccw image during qemu-kvm build)
- Resolves: bz#2222579
  (PNG screendump doesn't save screen correctly)
- Resolves: bz#2213317
  (Enable libblkio-based block drivers in QEMU)
2023-07-17 04:44:00 -04:00

77 lines
2.7 KiB
Diff

From fcd6219a95851d17fd8bde69d87e78c6533be990 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Le=20Goater?= <clg@redhat.com>
Date: Wed, 12 Jul 2023 17:46:57 +0200
Subject: [PATCH 24/37] hw/vfio/pci-quirks: Sanitize capability pointer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
RH-Author: Cédric Le Goater <clg@redhat.com>
RH-MergeRequest: 179: vfio: live migration support
RH-Bugzilla: 2192818
RH-Acked-by: Eric Auger <eric.auger@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Commit: [22/28] cb080409c1912f4365f8e31cd23c914b48f91575 (clegoate/qemu-kvm-c9s)
Bugzilla: https://bugzilla.redhat.com/2192818
commit 0ddcb39c9357
Author: Alex Williamson <alex.williamson@redhat.com>
Date: Fri Jun 30 16:36:08 2023 -0600
hw/vfio/pci-quirks: Sanitize capability pointer
Coverity reports a tained scalar when traversing the capabilities
chain (CID 1516589). In practice I've never seen a device with a
chain so broken as to cause an issue, but it's also pretty easy to
sanitize.
Fixes: f6b30c1984f7 ("hw/vfio/pci-quirks: Support alternate offset for GPUDirect Cliques")
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
hw/vfio/pci-quirks.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 0ed2fcd531..f4ff836805 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -1530,6 +1530,12 @@ const PropertyInfo qdev_prop_nv_gpudirect_clique = {
.set = set_nv_gpudirect_clique_id,
};
+static bool is_valid_std_cap_offset(uint8_t pos)
+{
+ return (pos >= PCI_STD_HEADER_SIZEOF &&
+ pos <= (PCI_CFG_SPACE_SIZE - PCI_CAP_SIZEOF));
+}
+
static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
{
PCIDevice *pdev = &vdev->pdev;
@@ -1563,7 +1569,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
*/
ret = pread(vdev->vbasedev.fd, &tmp, 1,
vdev->config_offset + PCI_CAPABILITY_LIST);
- if (ret != 1 || !tmp) {
+ if (ret != 1 || !is_valid_std_cap_offset(tmp)) {
error_setg(errp, "NVIDIA GPUDirect Clique ID: error getting cap list");
return -EINVAL;
}
@@ -1575,7 +1581,7 @@ static int vfio_add_nv_gpudirect_cap(VFIOPCIDevice *vdev, Error **errp)
d4_conflict = true;
}
tmp = pdev->config[tmp + PCI_CAP_LIST_NEXT];
- } while (tmp);
+ } while (is_valid_std_cap_offset(tmp));
if (!c8_conflict) {
pos = 0xC8;
--
2.39.3