From 5f51e4a76255e3188af997d855ad28f9511bc9f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sj=C3=B6lind?= Date: Wed, 13 Feb 2019 10:50:40 +0100 Subject: [PATCH] pci.c: assert MSIX table count <= config max MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Assert that PCI devices discovered while booting the hypervisor do not have more table entries than allowed by the compile-time configuration (CONFIG_MAX_MSIX_TABLE_NUM). The case were `msix.table_count` > `CONFIG_MAX_MSIX_TABLE_NUM` is fatal since the init function in the handler for MSI-X (vmsix_init) only looks at `table_count` when populating the table. Since `CONFIG_MAX_MSIX_TABLE_NUM` is the max size of the table array entry in the pci_msix struct. This will cause the msix handler to write outside of the table array. Tracked-On: #2624 Signed-off-by: Viktor Sjölind --- hypervisor/hw/pci.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hypervisor/hw/pci.c b/hypervisor/hw/pci.c index 319efeca0..fe2e7c856 100644 --- a/hypervisor/hw/pci.c +++ b/hypervisor/hw/pci.c @@ -352,6 +352,8 @@ static void pci_read_cap(struct pci_pdev *pdev) pdev->msix.table_offset = table_info & ~PCIM_MSIX_BIR_MASK; pdev->msix.table_count = (msgctrl & PCIM_MSIXCTRL_TABLE_SIZE) + 1U; + ASSERT(pdev->msix.table_count <= CONFIG_MAX_MSIX_TABLE_NUM); + /* Copy MSIX capability struct into buffer */ for (idx = 0U; idx < len; idx++) { pdev->msix.cap[idx] = (uint8_t)pci_pdev_read_cfg(pdev->bdf, offset + idx, 1U);