From c6eda313f98251f2117f308c341ecb795861538f Mon Sep 17 00:00:00 2001 From: Zhang Chen Date: Fri, 4 Aug 2023 10:56:34 +0800 Subject: [PATCH] hypervisor/ivshmem: Add check to prevent malicious BAR0 opts The ivshmem spec define the BAR0 offset > 16 are reserved. So ACRN need ignore all operation when offset out of range. Tracked-On: #8487 Signed-off-by: Zhang Chen Reviewed-by: Junjie Mao --- hypervisor/dm/vpci/ivshmem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hypervisor/dm/vpci/ivshmem.c b/hypervisor/dm/vpci/ivshmem.c index 7e4247ba1..75383e004 100644 --- a/hypervisor/dm/vpci/ivshmem.c +++ b/hypervisor/dm/vpci/ivshmem.c @@ -198,7 +198,9 @@ static int32_t ivshmem_mmio_handler(struct io_request *io_req, void *data) struct ivshmem_device *ivs_dev = (struct ivshmem_device *) vdev->priv_data; uint64_t offset = mmio->address - vdev->vbars[IVSHMEM_MMIO_BAR].base_gpa; - if ((mmio->size == 4U) && ((offset & 0x3U) == 0U)) { + /* ivshmem spec define the BAR0 offset > 16 are reserved */ + if ((mmio->size == 4U) && ((offset & 0x3U) == 0U) && + (offset < sizeof(ivs_dev->mmio))) { /* * IVSHMEM_IRQ_MASK_REG and IVSHMEM_IRQ_STA_REG are R/W registers * they are useless for ivshmem Rev.1.