1. Patchew
  2. QEMU
  3. [PATCH v2 0/4] Fix use-after-free and make format overflow more difficult
  4. View patch

[PATCH v2 2/4] vfio/pci: Grow buffer in vfio_pci_host_match()

Akihiko Odaki posted 4 patches 1 month, 1 week ago
Maintainers: Viktor Prutyanov <viktor.prutyanov@phystech.edu>, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>, Alex Williamson <alex@shazbot.org>, "Cédric Le Goater" <clg@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, "Marc-André Lureau" <marcandre.lureau@redhat.com>, "Daniel P. Berrangé" <berrange@redhat.com>, "Philippe Mathieu-Daudé" <philmd@linaro.org>, Markus Armbruster <armbru@redhat.com>, Michael Roth <michael.roth@amd.com>
There is a newer version of this series
[PATCH v2 2/4] vfio/pci: Grow buffer in vfio_pci_host_match()
Posted by Akihiko Odaki 1 month, 1 week ago 
Ensure the buffer in vfio_pci_host_match() will not overflow even when
an invalid addr parameter is provided.

Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
---
 hw/vfio/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index c89f3fbea348..94c174a773fb 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -2739,7 +2739,7 @@ void vfio_pci_post_reset(VFIOPCIDevice *vdev)
 
 bool vfio_pci_host_match(PCIHostDeviceAddress *addr, const char *name)
 {
-    char tmp[13];
+    char tmp[36];
 
     sprintf(tmp, "%04x:%02x:%02x.%1x", addr->domain,
             addr->bus, addr->slot, addr->function);

-- 
2.53.0
Re: [PATCH v2 2/4] vfio/pci: Grow buffer in vfio_pci_host_match()
Posted by Alex Williamson 1 month, 1 week ago 
On Mon, 02 Mar 2026 16:48:09 +0900
Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp> wrote:

> Ensure the buffer in vfio_pci_host_match() will not overflow even when
> an invalid addr parameter is provided.

This commit log could be much more straightforward.  Something like:

    Each field of PCIHostDeviceAddress is an unsigned int, therefore
    while a valid address is limited to 13 characters, an invalid
    address could exceed the specified format, up to:

        ffffffff:ffffffff:ffffffff.ffffffff<NUL>

    This requires 36 characters with the terminator.

With that:

Reviewed-by: Alex Williamson <alex.williamson@nvidia.com>
    

> Signed-off-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> ---
>  hw/vfio/pci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index c89f3fbea348..94c174a773fb 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -2739,7 +2739,7 @@ void vfio_pci_post_reset(VFIOPCIDevice *vdev)
>  
>  bool vfio_pci_host_match(PCIHostDeviceAddress *addr, const char *name)
>  {
> -    char tmp[13];
> +    char tmp[36];
>  
>      sprintf(tmp, "%04x:%02x:%02x.%1x", addr->domain,
>              addr->bus, addr->slot, addr->function);
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.