From 95a938e50a287d0462944e8375389554c1427bff Mon Sep 17 00:00:00 2001
From: Yonghua Huang <yonghua.huang@intel.com>
Date: Fri, 22 Jul 2022 06:39:48 +0300
Subject: [PATCH] hv: validate inputs in vpci_mmio_cfg_access

  This function is registered as PCI MMIO configuration
  access handler, which processes PCI configuration access
  request from ACRN guest hence the inputs shall be validated
  to avoid potential hypervisor crash when handling inputs
  from malicious guests.

Tracked-On: #7902
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
---
 hypervisor/dm/vpci/vpci.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/hypervisor/dm/vpci/vpci.c b/hypervisor/dm/vpci/vpci.c
index 7c1f07970..caa39aee7 100644
--- a/hypervisor/dm/vpci/vpci.c
+++ b/hypervisor/dm/vpci/vpci.c
@@ -192,9 +192,16 @@ static int32_t vpci_mmio_cfg_access(struct io_request *io_req, void *private_dat
 	bdf.value = (uint16_t)((address - pci_mmcofg_base) >> 12U);
 
 	if (mmio->direction == ACRN_IOREQ_DIR_READ) {
-		ret = vpci_read_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size, (uint32_t *)&mmio->value);
+		uint32_t val = ~0U;
+
+		if (pci_is_valid_access(reg_num, (uint32_t)mmio->size)) {
+			ret = vpci_read_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size, &val);
+		}
+		mmio->value = val;
 	} else {
-		ret = vpci_write_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size, (uint32_t)mmio->value);
+		if (pci_is_valid_access(reg_num, (uint32_t)mmio->size)) {
+			ret = vpci_write_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size, (uint32_t)mmio->value);
+		}
 	}
 
 	return ret;