aboutsummaryrefslogtreecommitdiff
path: root/hw/virtio-pci.c
diff options
context:
space:
mode:
authorStefan Hajnoczi <stefanha@linux.vnet.ibm.com>2011-05-08 22:29:07 +0100
committerMichael S. Tsirkin <mst@redhat.com>2011-06-12 10:33:38 +0300
commit7157e2e23e89adcd436caeab31fdd6b47eded377 (patch)
tree5012c5e003f5d66032ef7892240ad8c9a9abe5eb /hw/virtio-pci.c
parente75ccf2c033fb0503d6cb7ddd0fd1dfa0aa4fc16 (diff)
virtio: guard against negative vq notifies
The virtio_queue_notify() function checks that the virtqueue number is less than the maximum number of virtqueues. A signed comparison is used but the virtqueue number could be negative if a buggy or malicious guest is run. This results in memory accesses outside of the virtqueue array. It is risky doing input validation in common code instead of at the guest<->host boundary. Note that virtio_queue_set_addr(), virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio functions do *not* validate the virtqueue number argument. Instead of fixing the comparison in virtio_queue_notify(), move the comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where we have a uint32_t value and can avoid ever calling into common virtio code if the virtqueue number is invalid. Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'hw/virtio-pci.c')
-rw-r--r--hw/virtio-pci.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 270e2c7438..b86c441623 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -348,7 +348,9 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
vdev->queue_sel = val;
break;
case VIRTIO_PCI_QUEUE_NOTIFY:
- virtio_queue_notify(vdev, val);
+ if (val < VIRTIO_PCI_QUEUE_MAX) {
+ virtio_queue_notify(vdev, val);
+ }
break;
case VIRTIO_PCI_STATUS:
if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {