From nobody Mon Feb 9 09:34:48 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (209.51.188.17 [209.51.188.17]) by mx.zohomail.com with SMTPS id 1549293529202314.20805574331007; Mon, 4 Feb 2019 07:18:49 -0800 (PST) Received: from localhost ([127.0.0.1]:44353 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gqg1C-00024m-GY for importer@patchew.org; Mon, 04 Feb 2019 10:18:42 -0500 Received: from eggs.gnu.org ([209.51.188.92]:45800) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gqfag-00066I-SW for qemu-devel@nongnu.org; Mon, 04 Feb 2019 09:51:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gqfT1-00056s-LI for qemu-devel@nongnu.org; Mon, 04 Feb 2019 09:43:25 -0500 Received: from mail-qt1-f171.google.com ([209.85.160.171]:32900) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1gqfT1-00055w-FN for qemu-devel@nongnu.org; Mon, 04 Feb 2019 09:43:23 -0500 Received: by mail-qt1-f171.google.com with SMTP id l11so137002qtp.0 for ; Mon, 04 Feb 2019 06:43:23 -0800 (PST) Received: from redhat.com (pool-173-76-246-42.bstnma.fios.verizon.net. [173.76.246.42]) by smtp.gmail.com with ESMTPSA id c7sm15339159qkj.72.2019.02.04.06.43.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 04 Feb 2019 06:43:21 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=pDtW29KbZR1Zq55oIsux5ft4bN0zgfFBPkmty2UHdVM=; b=sz/830QdgtNg3WRfhtf67+9Eh5H70wWbfHHaQfc875zsc9bflZtbPaRwBoKc8NQtzC Zj+FJ6YOfa4UHU6Ln1nkoAk8kStUbrx6DnanDLRDPbTjc0zaQ4xSILJBUr01l+RRC8oO +jFhQgr5T5FstlkrQQi4qBfPQ9IG1olRfcUo/4mlrX6t7hyIW5oZqSARtqlld4iGucyU lZQxdm44yZZ+MgEb4VMEEmWuf02gJqKQp9qFSEPKkZR+Oh967JvmGpbz/hABegkVG11I fGHq9BYBN7wP1UUFvK+rj2Ly4euFZ6SqAzEg++P5+VmxItFiEZ74xCjOzUimNsYIIwF4 lyGg== X-Gm-Message-State: AHQUAuZmp9MA/UNCexGpoQ4n8Q2n179w6O41FKBmcPOXyv25KsZZMzp4 cYwbMMye/SFQoEo986oQFq2Kbiv3yjNWmw== X-Google-Smtp-Source: AHgI3IYs+pjXT2eV3mQ5IEIQtKKpxoJEugR3fA8ONS87HmxZ11AISc5zCb13TJ3ySgi2Itb5CYk8kQ== X-Received: by 2002:aed:3eae:: with SMTP id n43mr9235092qtf.360.1549291402170; Mon, 04 Feb 2019 06:43:22 -0800 (PST) Date: Mon, 4 Feb 2019 09:43:20 -0500 From: "Michael S. Tsirkin" To: qemu-devel@nongnu.org Message-ID: <20190204142638.27021-2-mst@redhat.com> References: <20190204142638.27021-1-mst@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20190204142638.27021-1-mst@redhat.com> X-Mailer: git-send-email 2.17.1.1206.gb667731e2e.dirty X-Mutt-Fcc: =sent X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 209.85.160.171 Subject: [Qemu-devel] [PULL 01/25] virtio: add checks for the size of the indirect table X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , Cornelia Huck , Dima Stepanov , Stefan Hajnoczi , Philippe =?utf-8?Q?Mathieu-Daud=C3=A9?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" From: Dima Stepanov The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the INDIRECT table to get the data. It is possible to create a packet which will lead to the assert message like: include/exec/memory.h:1995: void address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int): Assertion `addr < cache->len && len <=3D cache->len - addr' failed. Aborted To do it the first descriptor should have a link to the INDIRECT table and set the size of it to 0. It doesn't look good that the guest should be able to trigger the assert in qemu. Add additional check for the size of the INDIRECT table, which should not be 0. Signed-off-by: Dima Stepanov Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Reviewed-by: Philippe Mathieu-Daud=C3=A9 Reviewed-by: Cornelia Huck Reviewed-by: Stefan Hajnoczi --- hw/virtio/virtio.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 22bd1ac34e..a1ff647a66 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -646,7 +646,7 @@ void virtqueue_get_avail_bytes(VirtQueue *vq, unsigned = int *in_bytes, vring_desc_read(vdev, &desc, desc_cache, i); =20 if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table= "); goto err; } @@ -902,7 +902,7 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) desc_cache =3D &caches->desc; vring_desc_read(vdev, &desc, desc_cache, i); if (desc.flags & VRING_DESC_F_INDIRECT) { - if (desc.len % sizeof(VRingDesc)) { + if (!desc.len || (desc.len % sizeof(VRingDesc))) { virtio_error(vdev, "Invalid size for indirect buffer table"); goto done; } --=20 MST