From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Ani Sinha" <ani@anisinha.ca>,
"Peter Maydell" <peter.maydell@linaro.org>,
"Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Igor Mammedov" <imammedo@redhat.com>
Subject: [PULL v2 02/55] acpi: validate hotplug selector on access
Date: Fri, 7 Jan 2022 06:03:11 -0500 [thread overview]
Message-ID: <20220107102526.39238-3-mst@redhat.com> (raw)
In-Reply-To: <20220107102526.39238-1-mst@redhat.com>
When bus is looked up on a pci write, we didn't
validate that the lookup succeeded.
Fuzzers thus can trigger QEMU crash by dereferencing the NULL
bus pointer.
Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device")
Fixes: CVE-2021-4158
Cc: "Igor Mammedov" <imammedo@redhat.com>
Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Ani Sinha <ani@anisinha.ca>
---
hw/acpi/pcihp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c
index 30405b5113..a5e182dd3a 100644
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data,
}
bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select);
+ if (!bus) {
+ break;
+ }
QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
Object *o = OBJECT(kid->child);
PCIDevice *dev = PCI_DEVICE(o);
--
MST
next prev parent reply other threads:[~2022-01-07 11:05 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-07 11:03 [PULL v2 00/55] virtio,pci,pc: features,fixes,cleanups Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 01/55] virtio-mem: Don't skip alignment checks when warning about block size Michael S. Tsirkin
2022-01-07 11:03 ` Michael S. Tsirkin [this message]
2022-01-07 11:03 ` [PULL v2 03/55] virtio: introduce macro IRTIO_CONFIG_IRQ_IDX Michael S. Tsirkin
2022-01-07 11:03 ` [Virtio-fs] " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 04/55] virtio-pci: decouple notifier from interrupt process Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 05/55] virtio-pci: decouple the single vector from the " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 06/55] vhost: introduce new VhostOps vhost_set_config_call Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 07/55] vhost-vdpa: add support for config interrupt Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 08/55] virtio: add support for configure interrupt Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 09/55] vhost: " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 10/55] virtio-net: " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 11/55] virtio-mmio: " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 12/55] virtio-pci: " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 13/55] trace-events,pci: unify trace events format Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 14/55] vhost-user-blk: reconnect on any error during realize Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 15/55] chardev/char-socket: tcp_chr_recv: don't clobber errno Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 16/55] chardev/char-socket: tcp_chr_sync_read: " Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 17/55] vhost-backend: avoid overflow on memslots_limit Michael S. Tsirkin
2022-01-07 11:03 ` [PULL v2 18/55] vhost-backend: stick to -errno error return convention Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 19/55] vhost-vdpa: " Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 20/55] vhost-user: " Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 21/55] vhost: " Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 22/55] vhost-user-blk: propagate error return from generic vhost Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 23/55] pci: Export the pci_intx() function Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 24/55] pcie_aer: Don't trigger a LSI if none are defined Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 25/55] smbios: Rename SMBIOS_ENTRY_POINT_* enums Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 26/55] hw/smbios: Use qapi for SmbiosEntryPointType Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 27/55] hw/i386: expose a "smbios-entry-point-type" PC machine property Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 28/55] hw/vhost-user-blk: turn on VIRTIO_BLK_F_SIZE_MAX feature for virtio blk device Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 29/55] util/oslib-posix: Let touch_all_pages() return an error Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 30/55] util/oslib-posix: Support MADV_POPULATE_WRITE for os_mem_prealloc() Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 31/55] util/oslib-posix: Introduce and use MemsetContext for touch_all_pages() Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 32/55] util/oslib-posix: Don't create too many threads with small memory or little pages Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 33/55] util/oslib-posix: Avoid creating a single thread with MADV_POPULATE_WRITE Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 34/55] util/oslib-posix: Support concurrent os_mem_prealloc() invocation Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 35/55] util/oslib-posix: Forward SIGBUS to MCE handler under Linux Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 36/55] virtio-mem: Support "prealloc=on" option Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 37/55] virtio: signal after wrapping packed used_idx Michael S. Tsirkin
2022-01-07 11:04 ` [PULL v2 38/55] MAINTAINERS: Add a separate entry for acpi/VIOT tables Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 39/55] linux-headers: sync VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 40/55] virtio-mem: Support VIRTIO_MEM_F_UNPLUGGED_INACCESSIBLE Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 41/55] virtio-mem: Set "unplugged-inaccessible=auto" for the 7.0 machine on x86 Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 42/55] intel-iommu: correctly check passthrough during translation Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 43/55] acpi: fix QEMU crash when started with SLIC table Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 44/55] tests: acpi: whitelist expected blobs before changing them Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 45/55] tests: acpi: add SLIC table test Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 46/55] tests: acpi: SLIC: update expected blobs Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 47/55] acpihp: simplify acpi_pcihp_disable_root_bus Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 48/55] hw/i386/pc: Add missing property descriptions Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 49/55] docs: reSTify virtio-balloon-stats documentation and move to docs/interop Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 50/55] hw/scsi/vhost-scsi: don't leak vqs on error Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 51/55] hw/scsi/vhost-scsi: don't double close vhostfd " Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 52/55] virtio/vhost-vsock: don't double close vhostfd, remove redundant cleanup Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 53/55] tests: acpi: prepare for updated TPM related tables Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 54/55] acpi: tpm: Add missing device identification objects Michael S. Tsirkin
2022-01-07 11:05 ` [PULL v2 55/55] tests: acpi: Add updated TPM related tables Michael S. Tsirkin
2022-01-07 19:38 ` [PULL v2 00/55] virtio,pci,pc: features,fixes,cleanups Richard Henderson
2022-01-08 0:34 ` Michael S. Tsirkin
2022-01-09 12:20 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220107102526.39238-3-mst@redhat.com \
--to=mst@redhat.com \
--cc=ani@anisinha.ca \
--cc=imammedo@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.