| commit | 293084a7196b1d7781b6fe19b24e85eb8b7f4de0 | |
| author | Yongji Xie <elohimes@gmail.com> | |
| Thu, 18 Jan 2018 16:04:05 +0000 (19 00:04 +0800) | ||
| committer | Michael S. Tsirkin <mst@redhat.com> | |
| Tue, 13 Feb 2018 16:25:48 +0000 (13 18:25 +0200) | ||
| tree | 9c3adca62a86fca93bb70d452e9193881e366897 | treesnapshot (tar.gz zip) |
| parent | bb102d1da15a97c6750a4f96810cf15713be2bd6 | commitdiff |
libvhost-user: Support across-memory-boundary access
The sg list/indirect descriptor table may be contigious
in GPA but not in HVA address space. But libvhost-user
wasn't aware of that. This would cause out-of-bounds
access. Even a malicious guest could use it to get
information from the vhost-user backend.
Introduce a plen parameter in vu_gpa_to_va() so we can
handle this case, returning the actual mapped length.
Signed-off-by: Yongji Xie <xieyongji@baidu.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
The sg list/indirect descriptor table may be contigious
in GPA but not in HVA address space. But libvhost-user
wasn't aware of that. This would cause out-of-bounds
access. Even a malicious guest could use it to get
information from the vhost-user backend.
Introduce a plen parameter in vu_gpa_to_va() so we can
handle this case, returning the actual mapped length.
Signed-off-by: Yongji Xie <xieyongji@baidu.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
| contrib/libvhost-user/libvhost-user.c | diffblobblamehistory | |
| contrib/libvhost-user/libvhost-user.h | diffblobblamehistory |