-----Original Message-----
From: acrn-dev@... <acrn-dev@...> On
Behalf Of Yonghua Huang
Sent: Monday, July 25, 2022 8:45 PM
To: acrn-dev@...
Cc: Huang, Yonghua <yonghua.huang@...>
Subject: [acrn-dev] [PATCH v2] hv: validate inputs in vpci_mmio_cfg_access

This function is registered as PCI MMIO configuration
access handler, which processes PCI configuration access
request from ACRN guest hence the inputs shall be validated
to avoid optential hypervisor crash when handling inputs
from malicious guests.

Signed-off-by: Yonghua Huang <yonghua.huang@...>
---
hypervisor/dm/vpci/vpci.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/hypervisor/dm/vpci/vpci.c b/hypervisor/dm/vpci/vpci.c index
7c1f079701fb..3dd51cc093c3 100644
--- a/hypervisor/dm/vpci/vpci.c
+++ b/hypervisor/dm/vpci/vpci.c
@@ -192,8 +192,13 @@ static int32_t vpci_mmio_cfg_access(struct
io_request *io_req, void *private_dat
bdf.value = (uint16_t)((address - pci_mmcofg_base) >> 12U);

if (mmio->direction == ACRN_IOREQ_DIR_READ) {
- ret = vpci_read_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size,
(uint32_t *)&mmio->value);
- } else {
+ uint32_t val = ~0U;
+
+ if (pci_is_valid_access(reg_num, (uint32_t)mmio->size)) {
+ ret = vpci_read_cfg(vpci, bdf, reg_num,
(uint32_t)mmio->size, &val);
+ }
+ mmio->value = val;
+ } else if (pci_is_valid_access(reg_num, (uint32_t)mmio->size)) {
ret = vpci_write_cfg(vpci, bdf, reg_num, (uint32_t)mmio->size,
(uint32_t)mmio->value);
}

--
2.25.1