diff options
Diffstat (limited to 'main/xen/xsa164.patch')
-rw-r--r-- | main/xen/xsa164.patch | 34 |
1 files changed, 0 insertions, 34 deletions
diff --git a/main/xen/xsa164.patch b/main/xen/xsa164.patch deleted file mode 100644 index 39ffccc40f..0000000000 --- a/main/xen/xsa164.patch +++ /dev/null @@ -1,34 +0,0 @@ -MSI-X: avoid array overrun upon MSI-X table writes - -pt_msix_init() allocates msix->msix_entry[] to just cover -msix->total_entries entries. While pci_msix_readl() resorts to reading -physical memory for out of bounds reads, pci_msix_writel() so far -simply accessed/corrupted unrelated memory. - -pt_iomem_map()'s call to cpu_register_physical_memory() registers a -page granular region, which is necessary as the Pending Bit Array may -share space with the MSI-X table (but nothing else is allowed to). This -also explains why pci_msix_readl() actually honors out of bounds reads, -but pci_msi_writel() doesn't need to. - -This is XSA-164. - -Signed-off-by: Jan Beulich <jbeulich@suse.com> -Acked-by: Ian Campbell <ian.campbell@citrix.com> - ---- a/hw/pt-msi.c -+++ b/hw/pt-msi.c -@@ -440,6 +440,13 @@ static void pci_msix_writel(void *opaque - return; - } - -+ if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) -+ { -+ PT_LOG("Error: Out of bounds write to MSI-X table," -+ " addr %016"PRIx64"\n", addr); -+ return; -+ } -+ - entry_nr = (addr - msix->mmio_base_addr) / 16; - entry = &msix->msix_entry[entry_nr]; - offset = ((addr - msix->mmio_base_addr) % 16) / 4; |