1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From 4f2a5202a05fc1612954804a2482f07bff105ea2 Mon Sep 17 00:00:00 2001
From: Prasad J Pandit <pjp@fedoraproject.org>
Date: Tue, 11 Aug 2020 17:11:26 +0530
Subject: [PATCH] pci-host: designware: add pcie-msi read method
Add pcie-msi mmio read method to avoid NULL pointer dereference
issue.
Reported-by: Lei Sun <slei.casper@gmail.com>
Reviewed-by: Li Qiang <liq3ea@gmail.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Message-Id: <20200811114133.672647-3-ppandit@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
CVE: CVE-2020-15469
Upstream-Status: Backport [import from ubuntu https://git.launchpad.net/ubuntu/+source/qemu/tree/debian/patches/CVE-2020-15469-2.patch?h=ubuntu/focal-security Upstream Commit https://github.com/qemu/qemu/commit/4f2a5202a05fc1612954804a2482f07bff105ea2]
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
hw/pci-host/designware.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/hw/pci-host/designware.c b/hw/pci-host/designware.c
index f9fb97a..bde3a34 100644
--- a/hw/pci-host/designware.c
+++ b/hw/pci-host/designware.c
@@ -21,6 +21,7 @@
#include "qemu/osdep.h"
#include "qapi/error.h"
#include "qemu/module.h"
+#include "qemu/log.h"
#include "hw/pci/msi.h"
#include "hw/pci/pci_bridge.h"
#include "hw/pci/pci_host.h"
@@ -63,6 +64,23 @@ designware_pcie_root_to_host(DesignwarePCIERoot *root)
return DESIGNWARE_PCIE_HOST(bus->parent);
}
+static uint64_t designware_pcie_root_msi_read(void *opaque, hwaddr addr,
+ unsigned size)
+{
+ /*
+ * Attempts to read from the MSI address are undefined in
+ * the PCI specifications. For this hardware, the datasheet
+ * specifies that a read from the magic address is simply not
+ * intercepted by the MSI controller, and will go out to the
+ * AHB/AXI bus like any other PCI-device-initiated DMA read.
+ * This is not trivial to implement in QEMU, so since
+ * well-behaved guests won't ever ask a PCI device to DMA from
+ * this address we just log the missing functionality.
+ */
+ qemu_log_mask(LOG_UNIMP, "%s not implemented\n", __func__);
+ return 0;
+}
+
static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
uint64_t val, unsigned len)
{
@@ -77,6 +95,7 @@ static void designware_pcie_root_msi_write(void *opaque, hwaddr addr,
}
static const MemoryRegionOps designware_pci_host_msi_ops = {
+ .read = designware_pcie_root_msi_read,
.write = designware_pcie_root_msi_write,
.endianness = DEVICE_LITTLE_ENDIAN,
.valid = {
--
1.8.3.1
|