Ignore pci unplug requests for unpluggable devices (CVE-2011-1751)

This patch makes qemu ignore unplug requests from the guest for pci devices which are tagged as non-hotpluggable. Trouble spot is the piix4 chipset with the ISA bridge. Requests to unplug that one will make it go away together with all ISA bus devices, which are not prepared to be unplugged and thus don't cleanup, leaving active qemu timers behind in free'ed memory. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>

Ignore pci unplug requests for unpluggable devices (CVE-2011-1751)
This patch makes qemu ignore unplug requests from the guest for pci devices which are tagged as non-hotpluggable. Trouble spot is the piix4 chipset with the ISA bridge. Requests to unplug that one will make it go away together with all ISA bus devices, which are not prepared to be unplugged and thus don't cleanup, leaving active qemu timers behind in free'ed memory. Signed-off-by: N Gerd Hoffmann <kraxel@redhat.com>
505597e4 · Gerd Hoffmann · 96d19bcb · 505597e4
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

hw/acpi_piix4.c hw/acpi_piix4.c +3 -1

未找到文件。
--- a/hw/acpi_piix4.c
+++ b/hw/acpi_piix4.c
@@ -471,11 +471,13 @@ static void pciej_write(void *opaque, uint32_t addr, uint32_t val)
    BusState *bus = opaque;
    DeviceState *qdev, *next;
    PCIDevice *dev;
+    PCIDeviceInfo *info;
    int slot = ffs(val) - 1;

    QLIST_FOREACH_SAFE(qdev, &bus->children, sibling, next) {
        dev = DO_UPCAST(PCIDevice, qdev, qdev);
-        if (PCI_SLOT(dev->devfn) == slot) {
+        info = container_of(qdev->info, PCIDeviceInfo, qdev);
+        if (PCI_SLOT(dev->devfn) == slot && !info->no_hotplug) {
            qdev_free(qdev);
        }
    }