From nobody Fri Apr 26 05:57:15 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org ARC-Seal: i=1; a=rsa-sha256; t=1562060134; cv=none; d=zoho.com; s=zohoarc; b=n45Q5f/nOXsL0ua1tdXggPXyLYn6KUOhZcWlEvtnTOmBsICM1oqJH02fJeYJoPaZjuwdvrAFKNjJWuBgwNWAy2BBizZF99o9n9vFWV1nDByx7gV+Tjy3bVfuSrzM0wJEl7f27rnRP+S7yOR6oWJkUxhMDzer+VrJtLIAz2ClIGQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1562060134; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To:ARC-Authentication-Results; bh=H1TMWDaWJSg+VDzElyGif6AYc456tnvFomaoLrIAGbI=; b=G+p/Pok2gfOD8O+jHK+BeNwj7j0HwIS5AGxq1NZD3iQiQHEgME0DHkM0T4aBfbqFilXiT7g9wy+cTLSJQMcWMOSWgL/pLZcOBK0IkLtqM3P0IX3RaYbT9cuTgxoE2qgGJlTXzg5l6b/DZBdrTi4EkjTPbCz26tCGyby48Tc2G9o= ARC-Authentication-Results: i=1; mx.zoho.com; spf=none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1562060134599530.012816683644; Tue, 2 Jul 2019 02:35:34 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hiFB8-0006hv-Ii; Tue, 02 Jul 2019 09:34:22 +0000 Received: from us1-rack-dfw2.inumbo.com ([104.130.134.6]) by lists.xenproject.org with esmtp (Exim 4.89) (envelope-from ) id 1hiFB7-0006hO-0W for xen-devel@lists.xenproject.org; Tue, 02 Jul 2019 09:34:21 +0000 Received: from esa3.hc3370-68.iphmx.com (unknown [216.71.145.155]) by us1-rack-dfw2.inumbo.com (Halon) with ESMTPS id 90829035-9cac-11e9-8980-bc764e045a96; Tue, 02 Jul 2019 09:34:18 +0000 (UTC) X-Inumbo-ID: 90829035-9cac-11e9-8980-bc764e045a96 Authentication-Results: esa3.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=paul.durrant@citrix.com; spf=Pass smtp.mailfrom=Paul.Durrant@citrix.com; spf=None smtp.helo=postmaster@mail.citrix.com Received-SPF: none (zoho.com: 192.237.175.120 is neither permitted nor denied by domain of lists.xenproject.org) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of paul.durrant@citrix.com) identity=pra; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="paul.durrant@citrix.com"; x-conformance=sidf_compatible Received-SPF: Pass (esa3.hc3370-68.iphmx.com: domain of Paul.Durrant@citrix.com designates 162.221.158.21 as permitted sender) identity=mailfrom; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="Paul.Durrant@citrix.com"; x-conformance=sidf_compatible; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:209.167.231.154 ip4:178.63.86.133 ip4:195.66.111.40/30 ip4:85.115.9.32/28 ip4:199.102.83.4 ip4:192.28.146.160 ip4:192.28.146.107 ip4:216.52.6.88 ip4:216.52.6.188 ip4:162.221.158.21 ip4:162.221.156.83 ~all" Received-SPF: None (esa3.hc3370-68.iphmx.com: no sender authenticity information available from domain of postmaster@mail.citrix.com) identity=helo; client-ip=162.221.158.21; receiver=esa3.hc3370-68.iphmx.com; envelope-from="Paul.Durrant@citrix.com"; x-sender="postmaster@mail.citrix.com"; x-conformance=sidf_compatible IronPort-SDR: QOeEvmqeDn2y8LhM9IQdpvkMKjljaoGNQBsxDvL5rOOCgP4LmIIJxnSzF90D8Wsacom0h3d+AR oD+ysq6ciKGh7ByIufg6DabMigdYBrPYMqdBBCK0O5k0/pcXOAkihfMtizeMFQEaAa9+l8yldJ XkRQpQ1dPaIITX4UwdA0S1Gr7VOaX0yGk/L41WezmoC3H0h1jWhmSjgubmC7LvE1PM8IPZuVdp aG+tRskqTXQTSBJV5QPIp/6iy1RZOP43LSTHPw2pI+A1vaiOil9lg0ocMNBFU/+qIZZM5qa5kp uK8= X-SBRS: 2.7 X-MesageID: 2491006 X-Ironport-Server: esa3.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.63,442,1557201600"; d="scan'208";a="2491006" From: Paul Durrant To: Date: Tue, 2 Jul 2019 10:34:14 +0100 Message-ID: <20190702093414.27798-1-paul.durrant@citrix.com> X-Mailer: git-send-email 2.20.1.2.gb21ebb671 MIME-Version: 1.0 Subject: [Xen-devel] [PATCH] x86/msi: fix loop termination condition in pci_msi_conf_write_intercept() X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Igor Druzhinin , Wei Liu , Andrew Cooper , Paul Durrant , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" The for loop that deals with MSI masking is coded as follows: for ( pos =3D 0; pos < entry->msi.nvec; ++pos, ++entry ) Thus the loop termination condition is dereferencing a struct pointer that is being incremented by the loop. However, it is clear from following code paths in msi_capability_init() that this is unsafe as for instance, in the case of nvec =3D=3D 1, entry will point at a single struct msi_desc allocat= ion and thus the loop will walk beyond the bounds of the allocation before dereferencing the memory to determine whether the loop should terminate. Also, because the body of the loop writes via the entry pointer, this can then lead to heap memory corruption, or indeed corruption of anything in the direct map. This patch simply initializes a stack variable to the value of entry->msi.nvec before starting the loop and then uses that in the termination condition instead. Signed-off-by: Paul Durrant --- Cc: Jan Beulich Cc: Andrew Cooper Cc: Wei Liu Cc: "Roger Pau Monn=C3=A9" Cc: Igor Druzhinin Credit to Andrew Cooper and Igor Druzhinin for helping narrow down the source of the memory corruption. It has taken many weeks of head-scratching to get to this fix. --- xen/arch/x86/msi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/xen/arch/x86/msi.c b/xen/arch/x86/msi.c index babc4147c4..89e61160e9 100644 --- a/xen/arch/x86/msi.c +++ b/xen/arch/x86/msi.c @@ -1328,6 +1328,7 @@ int pci_msi_conf_write_intercept(struct pci_dev *pdev= , unsigned int reg, { uint16_t cntl; uint32_t unused; + unsigned int nvec =3D entry->msi.nvec; =20 pos =3D entry->msi_attrib.pos; if ( reg < pos || reg >=3D entry->msi.mpos + 8 ) @@ -1340,7 +1341,7 @@ int pci_msi_conf_write_intercept(struct pci_dev *pdev= , unsigned int reg, =20 cntl =3D pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos= )); unused =3D ~(uint32_t)0 >> (32 - multi_msi_capable(cntl)); - for ( pos =3D 0; pos < entry->msi.nvec; ++pos, ++entry ) + for ( pos =3D 0; pos < nvec; ++pos, ++entry ) { entry->msi_attrib.guest_masked =3D *data >> entry->msi_attrib.entry_nr; --=20 2.20.1.2.gb21ebb671 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel