diff options
| author | Aditya Gupta <adityag@linux.ibm.com> | 2026-03-27 00:34:38 +0530 |
|---|---|---|
| committer | Michael Tokarev <mjt@tls.msk.ru> | 2026-06-24 16:35:22 +0300 |
| commit | c4bd8d75696adbb906b192c637bf234f720b95da (patch) | |
| tree | 90e6025741adbca435fe09d1ba97bd7ecd849a28 | |
| parent | 7f9d07e21793cad61379ac8ade34dee77bd14366 (diff) | |
| download | qemu-c4bd8d75696adbb906b192c637bf234f720b95da.tar.gz qemu-c4bd8d75696adbb906b192c637bf234f720b95da.zip | |
hw/pci: Replace assert with bounds check and return
As reported in https://gitlab.com/qemu-project/qemu/-/work_items/3334,
callers of 'pci_host_config_{read,write}_common' can pass length as 8,
causing an assert failure
The original issue with pnv_phb3 triggering the assert was fixed in a
previous commit
Instead of asserting on invalid length, check if the length is valid
(<=4), otherwise return (with the failure error code in read)
Reported-by: Zexiang Zhang <chan9yan9@gmail.com>
Signed-off-by: Aditya Gupta <adityag@linux.ibm.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260326190438.734239-3-adityag@linux.ibm.com>
(cherry picked from commit c7209c56718107fefd5deae140a450954d31ff2b)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
| -rw-r--r-- | hw/pci/pci_host.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/hw/pci/pci_host.c b/hw/pci/pci_host.c index 7179d99178..9a0f80da53 100644 --- a/hw/pci/pci_host.c +++ b/hw/pci/pci_host.c @@ -81,7 +81,12 @@ void pci_host_config_write_common(PCIDevice *pci_dev, uint32_t addr, return; } - assert(len <= 4); + if (len > 4) { + PCI_DPRINTF("%s: invalid length access: addr " HWADDR_FMT_plx " \ + len %d val %"PRIx32"\n", __func__, addr, len, val); + return; + } + /* non-zero functions are only exposed when function 0 is present, * allowing direct removal of unexposed functions. */ @@ -106,7 +111,12 @@ uint32_t pci_host_config_read_common(PCIDevice *pci_dev, uint32_t addr, return ~0x0; } - assert(len <= 4); + if (len > 4) { + PCI_DPRINTF("%s: invalid length access: addr " HWADDR_FMT_plx " \ + len %d val %"PRIx32"\n", __func__, addr, len, val); + return ~0x0; + } + /* non-zero functions are only exposed when function 0 is present, * allowing direct removal of unexposed functions. */ |
