[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 01/25] virtio: add checks for the size of the indirec
From: |
Michael S. Tsirkin |
Subject: |
[Qemu-devel] [PULL 01/25] virtio: add checks for the size of the indirect table |
Date: |
Mon, 4 Feb 2019 09:43:20 -0500 |
From: Dima Stepanov <address@hidden>
The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the
INDIRECT table to get the data. It is possible to create a packet which
will lead to the assert message like:
include/exec/memory.h:1995: void
address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int):
Assertion `addr < cache->len && len <= cache->len - addr' failed.
Aborted
To do it the first descriptor should have a link to the INDIRECT table
and set the size of it to 0. It doesn't look good that the guest should
be able to trigger the assert in qemu. Add additional check for the size
of the INDIRECT table, which should not be 0.
Signed-off-by: Dima Stepanov <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
Reviewed-by: Philippe Mathieu-Daudé <address@hidden>
Reviewed-by: Cornelia Huck <address@hidden>
Reviewed-by: Stefan Hajnoczi <address@hidden>
---
hw/virtio/virtio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 22bd1ac34e..a1ff647a66 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -646,7 +646,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int
*in_bytes,
vring_desc_read(vdev, &desc, desc_cache, i);
if (desc.flags & VRING_DESC_F_INDIRECT) {
- if (desc.len % sizeof(VRingDesc)) {
+ if (!desc.len || (desc.len % sizeof(VRingDesc))) {
virtio_error(vdev, "Invalid size for indirect buffer table");
goto err;
}
@@ -902,7 +902,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
desc_cache = &caches->desc;
vring_desc_read(vdev, &desc, desc_cache, i);
if (desc.flags & VRING_DESC_F_INDIRECT) {
- if (desc.len % sizeof(VRingDesc)) {
+ if (!desc.len || (desc.len % sizeof(VRingDesc))) {
virtio_error(vdev, "Invalid size for indirect buffer table");
goto done;
}
--
MST
- [Qemu-devel] [PULL 15/25] contrib: compile vhost-user-blk tool by default, (continued)
[Qemu-devel] [PULL 13/25] pci/msi: export msi_is_masked(), Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 02/25] contrib/libvhost-user: switch to uint64_t, Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 09/25] vhost-net: revamp configure logic, Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 12/25] intel_iommu: reset intr_enabled when system reset, Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 01/25] virtio: add checks for the size of the indirect table,
Michael S. Tsirkin <=
[Qemu-devel] [PULL 10/25] hw: virtio-pci: drop DO_UPCAST, Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 03/25] scripts/update-linux-headers.sh: adjust for Linux 4.21-rc1 (or 5.0-rc1), Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 05/25] vhost-net: move stubs to a separate file, Michael S. Tsirkin, 2019/02/04
[Qemu-devel] [PULL 04/25] include: update Linux headers to 4.21-rc1/5.0-rc1, Michael S. Tsirkin, 2019/02/04
Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Peter Maydell, 2019/02/04
- Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Michael S. Tsirkin, 2019/02/04
- Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Michael S. Tsirkin, 2019/02/04
- Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Michael S. Tsirkin, 2019/02/04
- Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Peter Maydell, 2019/02/05
- Re: [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features, Michael S. Tsirkin, 2019/02/05