All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Peter Maydell" <peter.maydell@linaro.org>,
	"Dima Stepanov" <dimastep@yandex-team.ru>,
	"Philippe Mathieu-Daudé" <philmd@redhat.com>,
	"Cornelia Huck" <cohuck@redhat.com>,
	"Stefan Hajnoczi" <stefanha@redhat.com>
Subject: [Qemu-devel] [PULL 01/25] virtio: add checks for the size of the indirect table
Date: Mon, 4 Feb 2019 09:43:20 -0500	[thread overview]
Message-ID: <20190204142638.27021-2-mst@redhat.com> (raw)
In-Reply-To: <20190204142638.27021-1-mst@redhat.com>

From: Dima Stepanov <dimastep@yandex-team.ru>

The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the
INDIRECT table to get the data. It is possible to create a packet which
will lead to the assert message like:
  include/exec/memory.h:1995: void
  address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int):
  Assertion `addr < cache->len && len <= cache->len - addr' failed.
  Aborted
To do it the first descriptor should have a link to the INDIRECT table
and set the size of it to 0. It doesn't look good that the guest should
be able to trigger the assert in qemu. Add additional check for the size
of the INDIRECT table, which should not be 0.

Signed-off-by: Dima Stepanov <dimastep@yandex-team.ru>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
---
 hw/virtio/virtio.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 22bd1ac34e..a1ff647a66 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -646,7 +646,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned int *in_bytes,
         vring_desc_read(vdev, &desc, desc_cache, i);
 
         if (desc.flags & VRING_DESC_F_INDIRECT) {
-            if (desc.len % sizeof(VRingDesc)) {
+            if (!desc.len || (desc.len % sizeof(VRingDesc))) {
                 virtio_error(vdev, "Invalid size for indirect buffer table");
                 goto err;
             }
@@ -902,7 +902,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)
     desc_cache = &caches->desc;
     vring_desc_read(vdev, &desc, desc_cache, i);
     if (desc.flags & VRING_DESC_F_INDIRECT) {
-        if (desc.len % sizeof(VRingDesc)) {
+        if (!desc.len || (desc.len % sizeof(VRingDesc))) {
             virtio_error(vdev, "Invalid size for indirect buffer table");
             goto done;
         }
-- 
MST

  reply	other threads:[~2019-02-04 14:51 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-04 14:43 [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features Michael S. Tsirkin
2019-02-04 14:43 ` Michael S. Tsirkin [this message]
2019-02-04 14:43 ` [Qemu-devel] [PULL 02/25] contrib/libvhost-user: switch to uint64_t Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 03/25] scripts/update-linux-headers.sh: adjust for Linux 4.21-rc1 (or 5.0-rc1) Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 04/25] include: update Linux headers to 4.21-rc1/5.0-rc1 Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 10/25] hw: virtio-pci: drop DO_UPCAST Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 11/25] intel_iommu: fix operator in vtd_switch_address_space Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 12/25] intel_iommu: reset intr_enabled when system reset Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 13/25] pci/msi: export msi_is_masked() Michael S. Tsirkin
2019-02-04 14:43 ` [PULL 14/25] i386/kvm: ignore masked irqs when update msi routes Michael S. Tsirkin
2019-02-04 14:43   ` [Qemu-devel] " Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 15/25] contrib: compile vhost-user-blk tool by default Michael S. Tsirkin
2019-02-04 15:07   ` Daniel P. Berrangé
2019-02-04 15:19     ` Michael S. Tsirkin
2019-02-04 15:29       ` Daniel P. Berrangé
2019-02-05  1:48         ` Michael S. Tsirkin
2019-02-08  7:13           ` Stefan Hajnoczi
2019-02-04 14:43 ` [Qemu-devel] [PULL 16/25] contrib/vhost-user-blk: fix the compilation issue Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 17/25] vhost-user-blk: add discard/write zeroes features support Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 18/25] hw/virtio: Use CONFIG_VIRTIO_PCI switch instead of CONFIG_PCI Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 19/25] acpi: Make TPM 2.0 with TIS available as MSFT0101 Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 20/25] fw_cfg: fix the life cycle and the name of "qemu_extra_params_fw" Michael S. Tsirkin
2019-02-04 14:43 ` [Qemu-devel] [PULL 21/25] i386, acpi: cleanup build_facs by removing second unused argument Michael S. Tsirkin
2019-02-04 14:44 ` [Qemu-devel] [PULL 22/25] mmap-alloc: unfold qemu_ram_mmap() Michael S. Tsirkin
2019-02-04 14:44 ` [Qemu-devel] [PULL 23/25] mmap-alloc: fix hugetlbfs misaligned length in ppc64 Michael S. Tsirkin
2019-02-04 15:15   ` Greg Kurz
2019-02-04 15:20     ` Michael S. Tsirkin
2019-02-04 14:44 ` [Qemu-devel] [PULL 24/25] r2d: fix build on mingw Michael S. Tsirkin
2019-02-04 14:44 ` [Qemu-devel] [PULL 25/25] contrib/libvhost-user: cleanup casts Michael S. Tsirkin
2019-02-04 17:59 ` [Qemu-devel] [PULL 00/25] pci, pc, virtio: fixes, cleanups, features Peter Maydell
2019-02-04 19:39   ` Michael S. Tsirkin
2019-02-05  1:50   ` Michael S. Tsirkin
2019-02-05  1:51   ` Michael S. Tsirkin
2019-02-05 12:41     ` Peter Maydell
2019-02-05 16:06       ` Michael S. Tsirkin
2019-02-05 17:38         ` Peter Maydell
2019-02-12  7:11         ` Peter Xu
2019-02-12 10:39           ` Philippe Mathieu-Daudé
2019-02-12 13:04             ` Michael S. Tsirkin
2019-02-12 13:15               ` Philippe Mathieu-Daudé
2019-02-12 13:24                 ` Michael S. Tsirkin
2019-02-12 13:53                   ` Philippe Mathieu-Daudé
2019-02-12 14:04                     ` Michael S. Tsirkin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190204142638.27021-2-mst@redhat.com \
    --to=mst@redhat.com \
    --cc=cohuck@redhat.com \
    --cc=dimastep@yandex-team.ru \
    --cc=peter.maydell@linaro.org \
    --cc=philmd@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.