Commit 590fe572 authored by Cornelia Huck's avatar Cornelia Huck
Browse files

virtio-ccw: fix range check for SET_VQ 



VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: default avatarDavid Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: default avatarCornelia Huck <cornelia.huck@de.ibm.com>
parent 627f91b1

hw/s390x/virtio-ccw.c

+1 −1
Original line number Diff line number Diff line
@@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, 
{

    VirtIODevice *vdev = virtio_ccw_get_vdev(sch);



    if (index > VIRTIO_PCI_QUEUE_MAX) {

    if (index >= VIRTIO_PCI_QUEUE_MAX) {

        return -EINVAL;

    }