Herbert Xu
2006-Nov-28 04:04 UTC
[Xen-devel] qemu/pci: Unaligned config read/write overflow
Hi: [QEMU] pci: Unaligned config read/write overflow The default config read/write handlers allows a 4-byte read/write at address 255. This can clobber the field after the config area. This happens to be the PCIBus pointer in the PCIDevice structure. This patch stops this from reducing the read/write to the (largest multiple of 2) number of bytes within the config area. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- diff -r 84c0f49de1b1 tools/ioemu/hw/pci.c --- a/tools/ioemu/hw/pci.c Mon Nov 27 10:06:41 2006 +0000 +++ b/tools/ioemu/hw/pci.c Tue Nov 28 14:57:22 2006 +1100 @@ -221,16 +221,23 @@ uint32_t pci_default_read_config(PCIDevi uint32_t address, int len) { uint32_t val; + switch(len) { + default: + case 4: + if (address <= 0xfc) { + val = le32_to_cpu(*(uint32_t *)(d->config + address)); + break; + } + /* fall through */ + case 2: + if (address <= 0xfe) { + val = le16_to_cpu(*(uint16_t *)(d->config + address)); + break; + } + /* fall through */ case 1: val = d->config[address]; - break; - case 2: - val = le16_to_cpu(*(uint16_t *)(d->config + address)); - break; - default: - case 4: - val = le32_to_cpu(*(uint32_t *)(d->config + address)); break; } return val; @@ -333,7 +340,8 @@ void pci_default_write_config(PCIDevice d->config[addr] = val; } - addr++; + if (++addr > 0xff) + break; val >>= 8; } _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
andrzej zaborowski
2006-Nov-29 14:51 UTC
[Xen-devel] Re: [Qemu-devel] qemu/pci: Unaligned config read/write overflow
Hi, On 28/11/06, Herbert Xu <herbert@gondor.apana.org.au> wrote:> The default config read/write handlers allows a 4-byte read/write at > address 255. This can clobber the field after the config area. This > happens to be the PCIBus pointer in the PCIDevice structure.An easier way to prevent the clobbering is grow PCIDevice::config by three bytes. Regards, Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel