mirror of
https://github.com/cloud-hypervisor/cloud-hypervisor.git
synced 2024-12-22 13:45:20 +00:00
pci: validate index before accessing MSI-X arrays
The index is derived from the access offset, so it is controlled by the guest. Check it before accessing internal data structures. Since Rust enforces strict bound check even in release builds, the VMM process will crash if the guest misbehaves. There is no security issue since the guest can only DoS itself. Signed-off-by: Wei Liu <liuwe@microsoft.com>
This commit is contained in:
parent
c5c751c478
commit
78a30012fb
@ -213,6 +213,12 @@ impl MsixConfig {
|
||||
let index: usize = (offset / MSIX_TABLE_ENTRIES_MODULO) as usize;
|
||||
let modulo_offset = offset % MSIX_TABLE_ENTRIES_MODULO;
|
||||
|
||||
if index >= self.table_entries.len() {
|
||||
debug!("Invalid MSI-X table entry index {index}");
|
||||
data.copy_from_slice(&[0xff; 8][..data.len()]);
|
||||
return;
|
||||
}
|
||||
|
||||
match data.len() {
|
||||
4 => {
|
||||
let value = match modulo_offset {
|
||||
@ -260,6 +266,11 @@ impl MsixConfig {
|
||||
let index: usize = (offset / MSIX_TABLE_ENTRIES_MODULO) as usize;
|
||||
let modulo_offset = offset % MSIX_TABLE_ENTRIES_MODULO;
|
||||
|
||||
if index >= self.table_entries.len() {
|
||||
debug!("Invalid MSI-X table entry index {index}");
|
||||
return;
|
||||
}
|
||||
|
||||
// Store the value of the entry before modification
|
||||
let old_entry = self.table_entries[index].clone();
|
||||
|
||||
@ -351,6 +362,12 @@ impl MsixConfig {
|
||||
let index: usize = (offset / MSIX_PBA_ENTRIES_MODULO) as usize;
|
||||
let modulo_offset = offset % MSIX_PBA_ENTRIES_MODULO;
|
||||
|
||||
if index >= self.pba_entries.len() {
|
||||
debug!("Invalid MSI-X PBA entry index {index}");
|
||||
data.copy_from_slice(&[0xff; 8][..data.len()]);
|
||||
return;
|
||||
}
|
||||
|
||||
match data.len() {
|
||||
4 => {
|
||||
let value: u32 = match modulo_offset {
|
||||
|
Loading…
Reference in New Issue
Block a user