External/cloud-hypervisor
1
0
Fork 0
mirror of https://github.com/cloud-hypervisor/cloud-hypervisor.git synced 2024-12-22 05:35:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

pci: validate index before accessing MSI-X arrays

Browse Source 
The index is derived from the access offset, so it is controlled by the
guest. Check it before accessing internal data structures.

Since Rust enforces strict bound check even in release builds, the VMM
process will crash if the guest misbehaves. There is no security issue
since the guest can only DoS itself.

Signed-off-by: Wei Liu <liuwe@microsoft.com>
This commit is contained in:
Wei Liu 2024-08-14 04:39:56 +00:00 committed by Rob Bradford
parent c5c751c478
commit 78a30012fb
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pci/src/msix.rs
View File

@ -213,6 +213,12 @@ impl MsixConfig {
let index: usize = (offset / MSIX_TABLE_ENTRIES_MODULO) as usize;
let modulo_offset = offset % MSIX_TABLE_ENTRIES_MODULO;
if index >= self.table_entries.len() {
debug!("Invalid MSI-X table entry index {index}");
data.copy_from_slice(&[0xff; 8][..data.len()]);
return;
}
match data.len() {
4 => {
let value = match modulo_offset {
@ -260,6 +266,11 @@ impl MsixConfig {
let index: usize = (offset / MSIX_TABLE_ENTRIES_MODULO) as usize;
let modulo_offset = offset % MSIX_TABLE_ENTRIES_MODULO;
if index >= self.table_entries.len() {
debug!("Invalid MSI-X table entry index {index}");
return;
}
// Store the value of the entry before modification
let old_entry = self.table_entries[index].clone();
@ -351,6 +362,12 @@ impl MsixConfig {
let index: usize = (offset / MSIX_PBA_ENTRIES_MODULO) as usize;
let modulo_offset = offset % MSIX_PBA_ENTRIES_MODULO;
if index >= self.pba_entries.len() {
debug!("Invalid MSI-X PBA entry index {index}");
data.copy_from_slice(&[0xff; 8][..data.len()]);
return;
}
match data.len() {
4 => {
let value: u32 = match modulo_offset {