github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-06-02 20:35:32 +00:00
Code Issues Projects Releases Wiki Activity

hv: validate input for dmar_free_irte function

Browse Source 
Malicious input 'index' may trigger buffer
 overflow on array 'irte_alloc_bitmap[]'.

 This patch validate that 'index' shall be
 less than 'CONFIG_MAX_IR_ENTRIES' and also
 remove unnecessary check on 'index' in
 'ptirq_free_irte()' function with this fix.

Tracked-On: #6132
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
This commit is contained in:
Yonghua Huang 2021-06-02 15:19:15 +08:00 committed by wenlingz
parent 4acaeb91bd
commit 25c0e3817e
2 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
hypervisor/arch/x86/guest/assign.c
View File

@ -72,16 +72,14 @@ static void ptirq_free_irte(const struct ptirq_remapping_info *entry)
{
struct intr_source intr_src;
if (entry->irte_idx < CONFIG_MAX_IR_ENTRIES) {
if (entry->intr_type == PTDEV_INTR_MSI) {
intr_src.is_msi = true;
intr_src.src.msi.value = entry->phys_sid.msi_id.bdf;
} else {
intr_src.is_msi = false;
intr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(entry->allocated_pirq);
}
dmar_free_irte(&intr_src, entry->irte_idx);
if (entry->intr_type == PTDEV_INTR_MSI) {
intr_src.is_msi = true;
intr_src.src.msi.value = entry->phys_sid.msi_id.bdf;
} else {
intr_src.is_msi = false;
intr_src.src.ioapic_id = ioapic_irq_to_ioapic_id(entry->allocated_pirq);
}
dmar_free_irte(&intr_src, entry->irte_idx);
}
/*

2
hypervisor/arch/x86/vtd.c
View File

@ -1398,7 +1398,7 @@ void dmar_free_irte(const struct intr_source *intr_src, uint16_t index)
dmar_unit = ioapic_to_dmaru(intr_src->src.ioapic_id, &sid);
}
if (is_dmar_unit_valid(dmar_unit, sid)) {
if (is_dmar_unit_valid(dmar_unit, sid) && (index < CONFIG_MAX_IR_ENTRIES)) {
ir_table = (union dmar_ir_entry *)hpa2hva(dmar_unit->ir_table_addr);
ir_entry = ir_table + index;
ir_entry->bits.remap.present = 0x0UL;