Commit 973e7170 authored Sep 19, 2016 by Prasad J Pandit Committed by Michael S. Tsirkin Sep 23, 2016

virtio: add check for descriptor's mapped address



virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference while
un-mapping descriptors. Add check to avoid it.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

parent 9294d76c

hw/virtio/virtio.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -495,6 +495,11 @@ static void virtqueue_map_desc(unsigned int p_num_sg, hwaddr addr, struct iove
		}

		iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
		if (!iov[num_sg].iov_base) {
		error_report("virtio: bogus descriptor or out of resources");
		exit(1);
		}

		iov[num_sg].iov_len = len;
		addr[num_sg] = pa;