[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 50/55] vhost: fix error check in vhost_verify_ring_m
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 50/55] vhost: fix error check in vhost_verify_ring_mappings() |
Date: |
Wed, 6 Dec 2017 13:16:43 -0600 |
From: Greg Kurz <address@hidden>
Since commit f1f9e6c5 "vhost: adapt vhost_verify_ring_mappings() to
virtio 1 ring layout", we check the mapping of each part (descriptor
table, available ring and used ring) of each virtqueue separately.
The checking of a part is done by the vhost_verify_ring_part_mapping()
function: it returns either 0 on success or a negative errno if the
part cannot be mapped at the same place.
Unfortunately, the vhost_verify_ring_mappings() function checks its
return value the other way round. It means that we either:
- only verify the descriptor table of the first virtqueue, and if it
is valid we ignore all the other mappings
- or ignore all broken mappings until we reach a valid one
ie, we only raise an error if all mappings are broken, and we consider
all mappings are valid otherwise (false success), which is obviously
wrong.
This patch ensures that vhost_verify_ring_mappings() only returns
success if ALL mappings are okay.
Reported-by: Dr. David Alan Gilbert <address@hidden>
Signed-off-by: Greg Kurz <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit 2fe45ec3bffbd3a26f2ed39f60bab0ca5217d8f6)
Signed-off-by: Michael Roth <address@hidden>
---
hw/virtio/vhost.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/hw/virtio/vhost.c b/hw/virtio/vhost.c
index 76f6e1fcaa..fd6f4a878b 100644
--- a/hw/virtio/vhost.c
+++ b/hw/virtio/vhost.c
@@ -492,21 +492,21 @@ static int vhost_verify_ring_mappings(struct vhost_dev
*dev,
j = 0;
r = vhost_verify_ring_part_mapping(dev, vq->desc, vq->desc_phys,
vq->desc_size, start_addr, size);
- if (!r) {
+ if (r) {
break;
}
j++;
r = vhost_verify_ring_part_mapping(dev, vq->avail, vq->avail_phys,
vq->avail_size, start_addr, size);
- if (!r) {
+ if (r) {
break;
}
j++;
r = vhost_verify_ring_part_mapping(dev, vq->used, vq->used_phys,
vq->used_size, start_addr, size);
- if (!r) {
+ if (r) {
break;
}
}
--
2.11.0
- [Qemu-devel] [PATCH 37/55] net/socket: fix coverity issue, (continued)
- [Qemu-devel] [PATCH 37/55] net/socket: fix coverity issue, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 35/55] translate.c: Fix usermode big-endian AArch32 LDREXD and STREXD, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 39/55] nbd/client: Use error_prepend() correctly, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 03/55] block/mirror: check backing in bdrv_mirror_top_flush, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 41/55] virtio: Add queue interface to restore avail index from vring used index, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 47/55] virtio-net: don't touch virtqueue if vm is stopped, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 48/55] nbd/server: CVE-2017-15119 Reject options larger than 32M, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 42/55] vhost: restore avail index from vring used index on disconnection, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 44/55] spapr: reset DRCs after devices, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 46/55] block/nfs: fix nfs_client_open for filesize greater than 1TB, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 50/55] vhost: fix error check in vhost_verify_ring_mappings(),
Michael Roth <=
- [Qemu-devel] [PATCH 43/55] hw/ppc: clear pending_events on machine reset, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 49/55] nbd/server: CVE-2017-15118 Stack smash on large export name, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 45/55] scripts/make-release: ship u-boot source as a tarball, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 04/55] kvmclock: use the updated system_timer_msr, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 52/55] nbd-client: Refuse read-only client with BDRV_O_RDWR, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 53/55] nbd/client: Don't hard-disconnect on ESHUTDOWN from server, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 51/55] nbd/server: fix nbd_negotiate_handle_info, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 54/55] vga: drop line_offset variable, Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 55/55] vga: handle cirrus vbe mode wraparounds., Michael Roth, 2017/12/06
- [Qemu-devel] [PATCH 06/55] exec: Explicitly export target AS from address_space_translate_internal, Michael Roth, 2017/12/06