From 27b471e574edcee7ac065a7a46f558dca0fd7bf0 Mon Sep 17 00:00:00 2001
From: Alex Williamson <alex.williamson@redhat.com>
Date: Fri, 10 Apr 2015 16:34:08 +0200
Subject: [PATCH 06/14] vfio-pci: Fix BAR size overflow
Message-id: <20150410163408.15324.43004.stgit@gimli.home>
Patchwork-id: 64792
O-Subject: [RHEL7.2 qemu-kvm PATCH 6/8] vfio-pci: Fix BAR size overflow
Bugzilla: 1181267
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Laszlo Ersek <lersek@redhat.com>
RH-Acked-by: Bandan Das <bsd@redhat.com>
Upstream: 29c6e6df492d81b1843e5dd999171bb84c6effea
We use an unsigned int when working with the PCI BAR size, which can
obviously overflow if the BAR is 4GB or larger. This needs to change
to a fixed length uint64_t. A similar issue is possible, though even
more unlikely, when mapping the region above an MSI-X table. The
start of the MSI-X vector table must be below 4GB, but the end, and
therefore the start of the next mapping region, could still land at
4GB.
Suggested-by: Nishank Trivedi <nishank.trivedi@netapp.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Reviewed-by: Don Slutz <dslutz@verizon.com>
Tested-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
hw/misc/vfio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index f6e019c..607dbf4 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -2579,7 +2579,7 @@ empty_region:
static void vfio_map_bar(VFIODevice *vdev, int nr)
{
VFIOBAR *bar = &vdev->bars[nr];
- unsigned size = bar->size;
+ uint64_t size = bar->size;
char name[64];
uint32_t pci_bar;
uint8_t type;
@@ -2628,7 +2628,7 @@ static void vfio_map_bar(VFIODevice *vdev, int nr)
}
if (vdev->msix && vdev->msix->table_bar == nr) {
- unsigned start;
+ uint64_t start;
start = TARGET_PAGE_ALIGN(vdev->msix->table_offset +
(vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));
--
1.8.3.1