References: bsc#958007 XSA-164 MSI-X: avoid array overrun upon MSI-X table writes pt_msix_init() allocates msix->msix_entry[] to just cover msix->total_entries entries. While pci_msix_readl() resorts to reading physical memory for out of bounds reads, pci_msix_writel() so far simply accessed/corrupted unrelated memory. pt_iomem_map()'s call to cpu_register_physical_memory() registers a page granular region, which is necessary as the Pending Bit Array may share space with the MSI-X table (but nothing else is allowed to). This also explains why pci_msix_readl() actually honors out of bounds reads, but pci_msi_writel() doesn't need to. This is XSA-164. Signed-off-by: Jan Beulich Index: xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c =================================================================== --- xen-4.6.1-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c +++ xen-4.6.1-testing/tools/qemu-xen-traditional-dir-remote/hw/pt-msi.c @@ -447,6 +447,13 @@ static void pci_msix_writel(void *opaque return; } + if ( addr - msix->mmio_base_addr >= msix->total_entries * 16 ) + { + PT_LOG("Error: Out of bounds write to MSI-X table," + " addr %016"PRIx64"\n", addr); + return; + } + entry_nr = (addr - msix->mmio_base_addr) / 16; entry = &msix->msix_entry[entry_nr]; offset = ((addr - msix->mmio_base_addr) % 16) / 4;