1From a0b64c6d078acb9bcfae600e22bf99a9a7deca7c Mon Sep 17 00:00:00 2001 2From: "Michael S. Tsirkin" <mst@redhat.com> 3Date: Tue, 21 Dec 2021 09:45:44 -0500 4Subject: [PATCH] acpi: validate hotplug selector on access 5MIME-Version: 1.0 6Content-Type: text/plain; charset=UTF-8 7Content-Transfer-Encoding: 8bit 8 9When bus is looked up on a pci write, we didn't 10validate that the lookup succeeded. 11Fuzzers thus can trigger QEMU crash by dereferencing the NULL 12bus pointer. 13 14Fixes: b32bd763a1 ("pci: introduce acpi-index property for PCI device") 15Fixes: CVE-2021-4158 16Cc: "Igor Mammedov" <imammedo@redhat.com> 17Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 18Signed-off-by: Michael S. Tsirkin <mst@redhat.com> 19Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> 20Reviewed-by: Ani Sinha <ani@anisinha.ca> 21 22Upstream-Status: Backport [9bd6565ccee68f72d5012e24646e12a1c662827e] 23CVE: CVE-2021-4158 24 25Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com> 26--- 27 hw/acpi/pcihp.c | 3 +++ 28 1 file changed, 3 insertions(+) 29 30diff --git a/hw/acpi/pcihp.c b/hw/acpi/pcihp.c 31index 30405b511..a5e182dd3 100644 32--- a/hw/acpi/pcihp.c 33+++ b/hw/acpi/pcihp.c 34@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data, 35 } 36 37 bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select); 38+ if (!bus) { 39+ break; 40+ } 41 QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) { 42 Object *o = OBJECT(kid->child); 43 PCIDevice *dev = PCI_DEVICE(o); 44-- 452.33.0 46 47