Commit 758ead31 authored by Prasad J Pandit's avatar Prasad J Pandit Committed by Michael S. Tsirkin
Browse files

virtio: check VirtQueue Vring object is set 



A guest could attempt to use an uninitialised VirtQueue object
or unset Vring.align leading to a arithmetic exception. Add check
to avoid it.

Reported-by: default avatarZhangboxian <zhangboxian@huawei.com>
Signed-off-by: default avatarPrasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
parent 2fe45ec3

hw/virtio/virtio.c

+11 −3
Original line number Diff line number Diff line
@@ -182,7 +182,7 @@ void virtio_queue_update_rings(VirtIODevice *vdev, int n) 
{

    VRing *vring = &vdev->vq[n].vring;



    if (!vring->desc) {

    if (!vring->num || !vring->desc || !vring->align) {

        /* not yet setup -> nothing to do */

        return;

    }
@@ -1414,6 +1414,9 @@ void virtio_config_modern_writel(VirtIODevice *vdev, 


void virtio_queue_set_addr(VirtIODevice *vdev, int n, hwaddr addr)

{

    if (!vdev->vq[n].vring.num) {

        return;

    }

    vdev->vq[n].vring.desc = addr;

    virtio_queue_update_rings(vdev, n);

}
@@ -1426,6 +1429,9 @@ hwaddr virtio_queue_get_addr(VirtIODevice *vdev, int n) 
void virtio_queue_set_rings(VirtIODevice *vdev, int n, hwaddr desc,

                            hwaddr avail, hwaddr used)

{

    if (!vdev->vq[n].vring.num) {

        return;

    }

    vdev->vq[n].vring.desc = desc;

    vdev->vq[n].vring.avail = avail;

    vdev->vq[n].vring.used = used;
@@ -1494,9 +1500,11 @@ void virtio_queue_set_align(VirtIODevice *vdev, int n, int align) 
     */

    assert(k->has_variable_vring_alignment);



    if (align) {

        vdev->vq[n].vring.align = align;

        virtio_queue_update_rings(vdev, n);

    }

}



static bool virtio_queue_notify_aio_vq(VirtQueue *vq)

{