irqs_disable() possible out-of-boundary table access.

nutanix / libvfio-user

framework for emulating devices in userspace

BSD 3-Clause "New" or "Revised" License

154 stars 49 forks source link

irqs_disable() possible out-of-boundary table access. #790

Closed sberbz closed 4 months ago

sberbz commented 4 months ago

While fuzzing SPDK's vfio-user transport, encounter an issue with function irqs_disable() that seems to be out-of-boundary table access.

Here is a comment describing the issue: https://github.com/spdk/spdk/issues/3289#issuecomment-1976712750

Here is another instance of failure: https://10.211.11.56/job/long-fuzz-vfio-phy-autotest/97/consoleText

jlevon commented 4 months ago

315     // Ensure irq_set's start and count are within bounds.                       
316     if ((irq_set->start >= vfu_ctx->irq_count[irq_set->index]) ||                
317         (irq_set->start + irq_set->count > vfu_ctx->irq_count[irq_set->index])) {
318         line = __LINE__;                                                         
319         goto invalid;                                                            
320     }

jlevon commented 4 months ago

fixed by #791