1. Patchew
  2. QEMU
  3. View series

[PATCH] vfio/pci: Fix information leak in vfio_rom_read()

Cédric Le Goater posted 1 patch 5 days, 19 hours ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260602074446.1206892-1-clg@redhat.com
Maintainers: Alex Williamson <alex@shazbot.org>, "Cédric Le Goater" <clg@redhat.com>
hw/vfio/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH] vfio/pci: Fix information leak in vfio_rom_read()
Posted by Cédric Le Goater 5 days, 19 hours ago 
vfio_rom_read() can leak uninitialized stack data to the guest when a
read occurs at the end boundary of the ROM BAR.

Fix this by initializing the val union to 0xff, matching the ROM
initialization pattern used in vfio_pci_load_rom().

Signed-off-by: Cédric Le Goater <clg@redhat.com>
---
 hw/vfio/pci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
index 9df04fa2d76b1a78ee884d915f5a0c3c5fdb6115..de28e72519326741295c19f4a07208b95861f2ce 100644
--- a/hw/vfio/pci.c
+++ b/hw/vfio/pci.c
@@ -1142,7 +1142,7 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size)
         uint16_t word;
         uint32_t dword;
         uint64_t qword;
-    } val;
+    } val = { .qword = ~0ULL };
     uint64_t data = 0;
 
     /* Load the ROM lazily when the guest tries to read it */
-- 
2.54.0
Re: [PATCH] vfio/pci: Fix information leak in vfio_rom_read()
Posted by Philippe Mathieu-Daudé 4 days, 19 hours ago 
On 2/6/26 09:44, Cédric Le Goater wrote:
> vfio_rom_read() can leak uninitialized stack data to the guest when a
> read occurs at the end boundary of the ROM BAR.
> 
> Fix this by initializing the val union to 0xff, matching the ROM
> initialization pattern used in vfio_pci_load_rom().
> 
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
>   hw/vfio/pci.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)

Reviewed-by: Philippe Mathieu-Daudé <philmd@mailo.com>
Re: [PATCH] vfio/pci: Fix information leak in vfio_rom_read()
Posted by Mario Casquero 5 days, 19 hours ago 
Looks good to me!

Reviewed-by: Mario Casquero <mcasquer@redhat.com>

BR,
Mario





On Tue, Jun 2, 2026 at 9:44 AM Cédric Le Goater <clg@redhat.com> wrote:
>
> vfio_rom_read() can leak uninitialized stack data to the guest when a
> read occurs at the end boundary of the ROM BAR.
>
> Fix this by initializing the val union to 0xff, matching the ROM
> initialization pattern used in vfio_pci_load_rom().
>
> Signed-off-by: Cédric Le Goater <clg@redhat.com>
> ---
>  hw/vfio/pci.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c
> index 9df04fa2d76b1a78ee884d915f5a0c3c5fdb6115..de28e72519326741295c19f4a07208b95861f2ce 100644
> --- a/hw/vfio/pci.c
> +++ b/hw/vfio/pci.c
> @@ -1142,7 +1142,7 @@ static uint64_t vfio_rom_read(void *opaque, hwaddr addr, unsigned size)
>          uint16_t word;
>          uint32_t dword;
>          uint64_t qword;
> -    } val;
> +    } val = { .qword = ~0ULL };
>      uint64_t data = 0;
>
>      /* Load the ROM lazily when the guest tries to read it */
> --
> 2.54.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.