| commit | 7423192912af36a2cdf4eb2066f17ca37904ef5e | |
| author | Dima Stepanov <dimastep@yandex-team.ru> | |
| Tue, 15 Jan 2019 10:08:47 +0000 (15 13:08 +0300) | ||
| committer | Michael S. Tsirkin <mst@redhat.com> | |
| Fri, 1 Feb 2019 22:30:53 +0000 (1 17:30 -0500) | ||
| tree | a03d12da167bdba04827842a0275f27869920fe9 | treesnapshot (tar.gz zip) |
| parent | b3fc0af1ff5e922d4dd7c875394dbd26dc7313b4 | commitdiff |
virtio: add checks for the size of the indirect table
The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the
INDIRECT table to get the data. It is possible to create a packet which
will lead to the assert message like:
include/exec/memory.h:1995: void
address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int):
Assertion `addr < cache->len && len <= cache->len - addr' failed.
Aborted
To do it the first descriptor should have a link to the INDIRECT table
and set the size of it to 0. It doesn't look good that the guest should
be able to trigger the assert in qemu. Add additional check for the size
of the INDIRECT table, which should not be 0.
Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the
INDIRECT table to get the data. It is possible to create a packet which
will lead to the assert message like:
include/exec/memory.h:1995: void
address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int):
Assertion `addr < cache->len && len <= cache->len - addr' failed.
Aborted
To do it the first descriptor should have a link to the INDIRECT table
and set the size of it to 0. It doesn't look good that the guest should
be able to trigger the assert in qemu. Add additional check for the size
of the INDIRECT table, which should not be 0.
Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
| hw/virtio/virtio.c | diffblobblamehistory |