44 lines
1.6 KiB
Plaintext
44 lines
1.6 KiB
Plaintext
patches for XSA-184 from upstream:
|
|
|
|
From 17d8c4e47dfb41cb6778520ff2eab7a11fe12dfd Mon Sep 17 00:00:00 2001
|
|
From: P J P <ppandit@redhat.com>
|
|
Date: Tue, 26 Jul 2016 15:31:59 +0100
|
|
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
|
|
|
|
A broken or malicious guest can submit more requests than the virtqueue
|
|
size permits.
|
|
|
|
The guest can submit requests without bothering to wait for completion
|
|
and is therefore not bound by virtqueue size. This requires reusing
|
|
vring descriptors in more than one request, which is incorrect but
|
|
possible. Processing a request allocates a VirtQueueElement and
|
|
therefore causes unbounded memory allocation controlled by the guest.
|
|
|
|
Exit with an error if the guest provides more requests than the
|
|
virtqueue size permits. This bounds memory allocation and makes the
|
|
buggy guest visible to the user.
|
|
|
|
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
|
|
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
|
|
---
|
|
hw/virtio.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/hw/virtio.c b/hw/virtio.c
|
|
index c26feff..42897bf 100644
|
|
--- qemu-xen-traditional/hw/virtio.c.orig 2016-01-04 15:36:03.000000000 +0000
|
|
+++ qemu-xen-traditional/hw/virtio.c 2016-09-11 11:01:37.000000000 +0000
|
|
@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQue
|
|
/* When we start there are none of either input nor output. */
|
|
elem->out_num = elem->in_num = 0;
|
|
|
|
+ if (vq->inuse >= vq->vring.num) {
|
|
+ fprintf(stderr, "Virtqueue size exceeded");
|
|
+ exit(1);
|
|
+ }
|
|
+
|
|
i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
|
|
do {
|
|
struct iovec *sg;
|
|
|