From: Alex Williamson Date: Fri, 9 Jan 2015 15:50:53 +0000 (-0700) Subject: vfio-pci: Fix BAR size overflow X-Git-Tag: Tizen_Studio_1.3_Release_p2.3.2~209^2~394^2~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=29c6e6df492d81b1843e5dd999171bb84c6effea;p=sdk%2Femulator%2Fqemu.git vfio-pci: Fix BAR size overflow We use an unsigned int when working with the PCI BAR size, which can obviously overflow if the BAR is 4GB or larger. This needs to change to a fixed length uint64_t. A similar issue is possible, though even more unlikely, when mapping the region above an MSI-X table. The start of the MSI-X vector table must be below 4GB, but the end, and therefore the start of the next mapping region, could still land at 4GB. Suggested-by: Nishank Trivedi Signed-off-by: Alex Williamson Reviewed-by: Don Slutz Tested-by: Alexey Kardashevskiy --- diff --git a/hw/vfio/pci.c b/hw/vfio/pci.c index b4e73d1f35..b6703c7d37 100644 --- a/hw/vfio/pci.c +++ b/hw/vfio/pci.c @@ -2301,7 +2301,7 @@ static void vfio_unmap_bar(VFIOPCIDevice *vdev, int nr) static void vfio_map_bar(VFIOPCIDevice *vdev, int nr) { VFIOBAR *bar = &vdev->bars[nr]; - unsigned size = bar->region.size; + uint64_t size = bar->region.size; char name[64]; uint32_t pci_bar; uint8_t type; @@ -2351,7 +2351,7 @@ static void vfio_map_bar(VFIOPCIDevice *vdev, int nr) } if (vdev->msix && vdev->msix->table_bar == nr) { - unsigned start; + uint64_t start; start = HOST_PAGE_ALIGN(vdev->msix->table_offset + (vdev->msix->entries * PCI_MSIX_ENTRY_SIZE));