From nobody Fri Nov 7 08:05:11 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=yandex-team.ru Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1547547103394840.2896649290484; Tue, 15 Jan 2019 02:11:43 -0800 (PST) Received: from localhost ([127.0.0.1]:49460 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gjLh8-0003Sq-8y for importer@patchew.org; Tue, 15 Jan 2019 05:11:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:43056) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gjLeh-0001wz-NW for qemu-devel@nongnu.org; Tue, 15 Jan 2019 05:09:14 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gjLeg-0001uC-U6 for qemu-devel@nongnu.org; Tue, 15 Jan 2019 05:09:11 -0500 Received: from forwardcorp1j.cmail.yandex.net ([2a02:6b8:0:1630::190]:56881) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1gjLeg-0001iz-8A for qemu-devel@nongnu.org; Tue, 15 Jan 2019 05:09:10 -0500 Received: from mxbackcorp1g.mail.yandex.net (mxbackcorp1g.mail.yandex.net [IPv6:2a02:6b8:0:1402::301]) by forwardcorp1j.cmail.yandex.net (Yandex) with ESMTP id CD28521069; Tue, 15 Jan 2019 13:08:57 +0300 (MSK) Received: from smtpcorp1j.mail.yandex.net (smtpcorp1j.mail.yandex.net [2a02:6b8:0:1619::137]) by mxbackcorp1g.mail.yandex.net (nwsmtp/Yandex) with ESMTP id 3zR3fHXoWf-8vRWv7Yf; Tue, 15 Jan 2019 13:08:57 +0300 Received: from dynamic-red.dhcp.yndx.net (dynamic-red.dhcp.yndx.net [2a02:6b8:0:40c:44f:e5a2:2148:4fca]) by smtpcorp1j.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id MtVcNLNf5G-8vh88n7H; Tue, 15 Jan 2019 13:08:57 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default; t=1547546937; bh=cTef6hBypxWFqUT5dIcKMEbbB00HZ3BcURVv4YThLhw=; h=From:To:Cc:Subject:Date:Message-Id; b=M/e4rJE1HSR5RNDHVmP/aPyOKpXGFUDZhzRN2nWJLQK9aTrLDSB0niD9Ke0Lb0uwn YSQyEQX7T5HSoV8laybRPfZXdgUWU80QwtZOfd76hFKfn01/wWJtfAfB8GESpJ62he XVmIqVA4YA62i00MJ5aC2U1R1BqflnE+9Lk5pvmM= Authentication-Results: mxbackcorp1g.mail.yandex.net; dkim=pass header.i=@yandex-team.ru From: Dima Stepanov To: mst@redhat.com, qemu-devel@nongnu.org Date: Tue, 15 Jan 2019 13:08:47 +0300 Message-Id: <1547546927-18006-1-git-send-email-dimastep@yandex-team.ru> X-Mailer: git-send-email 2.7.4 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2a02:6b8:0:1630::190 Subject: [Qemu-devel] [PATCH v1] virtio: add checks for the size of the indirect table X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: dimastep@yandex-team.ru, wrfsh@yandex-team.ru Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (Header signature does not verify) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the INDIRECT table to get the data. It is possible to create a packet which will lead to the assert message like: include/exec/memory.h:1995: void address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int): Assertion `addr < cache->len && len <=3D cache->len - addr' failed. Aborted To do it the first descriptor should have a link to the INDIRECT table and set the size of it to 0. It doesn't look good that the guest should be able to trigger the assert in qemu. Add additional check for the size of the INDIRECT table, which should not be 0. Signed-off-by: Dima Stepanov Reviewed-by: Cornelia Huck Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Stefan Hajnoczi --- hw/virtio/virtio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 22bd1ac..a1ff647 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -646,7 +646,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned = int *in_bytes, vring_desc_read(vdev, &desc, desc_cache, i); =20 if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table= "); goto err; } @@ -902,7 +902,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) desc_cache =3D &caches->desc; vring_desc_read(vdev, &desc, desc_cache, i); if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table"); goto done; } --=20 2.7.4