The for loop that deals with MSI masking is coded as follows:
for ( pos = 0; pos < entry->msi.nvec; ++pos, ++entry )
Thus the loop termination condition is dereferencing a struct pointer that
is being incremented by the loop.
A block of MSI entries stores the number of vectors in entry[0].msi.nvec,
with all subsequent entries using a value of 0. Therefore, for a block of
two or more MSIs will terminate the loop early, as entry[1].msi.nvec is 0.
However, for a single MSI, ++entry moves the pointer out of bounds, and a
bogus read is used for the termination condition. In the case that the
loop body gets entered, there are subsequent OoB writes which clobber
adjacent memory in the heap.
This patch simply initializes a stack variable to the value of
entry->msi.nvec before starting the loop and then uses that in the
termination condition instead.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
{
uint16_t cntl;
uint32_t unused;
+ unsigned int nvec = entry->msi.nvec;
pos = entry->msi_attrib.pos;
if ( reg < pos || reg >= entry->msi.mpos + 8 )
cntl = pci_conf_read16(seg, bus, slot, func, msi_control_reg(pos));
unused = ~(uint32_t)0 >> (32 - multi_msi_capable(cntl));
- for ( pos = 0; pos < entry->msi.nvec; ++pos, ++entry )
+ for ( pos = 0; pos < nvec; ++pos, ++entry )
{
entry->msi_attrib.guest_masked =
*data >> entry->msi_attrib.entry_nr;
projects / people / dwmw2 / xen.git / commitdiff