acpi: validate hotplug selector on access

When bus is looked up on a pci write, we didn't validate that the lookup succeeded. Fuzzers thus can trigger QEMU crash by dereferencing the NULL bus pointer. Fixes: b32bd763 ("pci: introduce acpi-index property for PCI device") Fixes: CVE-2021-4158 Cc: "Igor Mammedov" <imammedo@redhat.com> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Ani Sinha <ani@anisinha.ca>

acpi: validate hotplug selector on access
When bus is looked up on a pci write, we didn't validate that the lookup succeeded. Fuzzers thus can trigger QEMU crash by dereferencing the NULL bus pointer. Fixes: b32bd763 ("pci: introduce acpi-index property for PCI device") Fixes: CVE-2021-4158 Cc: "Igor Mammedov" <imammedo@redhat.com> Fixes: https://gitlab.com/qemu-project/qemu/-/issues/770 Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> Reviewed-by: Ani Sinha <ani@anisinha.ca>
9bd6565c · Michael S. Tsirkin · 7656d9ce · 9bd6565c
Commit 9bd6565c authored 3 years ago by Michael S. Tsirkin
--- a/hw/acpi/pcihp.c
+++ b/hw/acpi/pcihp.c
@@ -491,6 +491,9 @@ static void pci_write(void *opaque, hwaddr addr, uint64_t data,
        }

        bus = acpi_pcihp_find_hotplug_bus(s, s->hotplug_select);
+        if (!bus) {
+            break;
+        }
        QTAILQ_FOREACH_SAFE(kid, &bus->qbus.children, sibling, next) {
            Object *o = OBJECT(kid->child);
            PCIDevice *dev = PCI_DEVICE(o);