Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
xen.5015
xsa164.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xsa164.patch of Package xen.5015
References: bsc#958007 XSA-164 MSI-X: avoid array overrun upon MSI-X table writes pt_msix_init() allocates msix->msix_entry[] to just cover msix->total_entries entries. While pci_msix_readl() resorts to reading physical memory for out of bounds reads, pci_msix_writel() so far simply accessed/corrupted unrelated memory. pt_iomem_map()'s call to cpu_register_physical_memory() registers a page granular region, which is necessary as the Pending Bit Array may share space with the MSI-X table (but nothing else is allowed to). This also explains why pci_msix_readl() actually honors out of bounds reads, but pci_msi_writel() doesn't need to. This is XSA-164. Signed-off-by: Jan Beulich <jbeulich@suse.com> Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c @@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque return; } + if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) + { + PT_LOG("Error: Out of bounds write to MSI-X table," + " addr %016"PRIx64"\n", addr); + return; + } + entry_nr = (addr - msix->mmio_base_addr) / 16; entry = &msix->msix_entry[entry_nr]; offset = ((addr - msix->mmio_base_addr) % 16) / 4;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor