From patchwork Wed Jan 7 00:03:01 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alex Williamson X-Patchwork-Id: 425884 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id D50BE1400D5 for ; Wed, 7 Jan 2015 11:03:26 +1100 (AEDT) Received: from localhost ([::1]:38740 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8e5r-0002rG-RX for incoming@patchwork.ozlabs.org; Tue, 06 Jan 2015 19:03:23 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:41355) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8e5c-0002a4-EW for qemu-devel@nongnu.org; Tue, 06 Jan 2015 19:03:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y8e5X-0001SU-O7 for qemu-devel@nongnu.org; Tue, 06 Jan 2015 19:03:08 -0500 Received: from mx1.redhat.com ([209.132.183.28]:36024) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8e5X-0001SA-GR for qemu-devel@nongnu.org; Tue, 06 Jan 2015 19:03:03 -0500 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t07032dH004567 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 6 Jan 2015 19:03:02 -0500 Received: from gimli.home (ovpn-113-150.phx2.redhat.com [10.3.113.150]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t07031vE028719; Tue, 6 Jan 2015 19:03:01 -0500 From: Alex Williamson To: qemu-devel@nongnu.org Date: Tue, 06 Jan 2015 17:03:01 -0700 Message-ID: <20150107000121.13777.54926.stgit@gimli.home> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 209.132.183.28 Cc: Alex Williamson Subject: [Qemu-devel] [PATCH] vfio-pci: Fix BAR size overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org We use an unsigned int when working with the PCI BAR size, which can obviously overflow if the BAR is 4GB or larger. This needs to change to an unsigned long. A similar issue is possible, though even more unlikely, when mapping the region above an MSI-X table. The start of the table must be below 4GB, but the end, and therefore the start of the next mapping region, could still land at 4GB. Suggested-by: Nishank Trivedi Signed-off-by: Alex Williamson --- hw/vfio/pci.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index b4e73d1..03790a8 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr) static void vfio_map_bar(VFIOPCIDevice *vdev, int nr) { VFIOBAR *bar = &vdev->bars[nr]; - unsigned size = bar->region.size; + unsigned long size = bar->region.size; char name[64]; uint32_t pci_bar; uint8_t type; @@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr) } if (vdev->msix && vdev->msix->table_bar == nr) { - unsigned start; + unsigned long start; start = HOST_PAGE_ALIGN(vdev->msix->table_offset + (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));