Commit c8eac1cf authored by Michael S. Tsirkin's avatar Michael S. Tsirkin
Browse files

virtio: fix indirect descriptor buffer overflow 



We were previously allowing arbitrarily-long indirect descriptors, which
could lead to a buffer overflow in qemu-kvm process.

CVE-2011-2212

Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
parent 0d2b962d

hw/virtio.c

+8 −0
Original line number Diff line number Diff line
@@ -449,9 +449,17 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem) 
        struct iovec *sg;



        if (vring_desc_flags(desc_pa, i) & VRING_DESC_F_WRITE) {

            if (elem->in_num >= ARRAY_SIZE(elem->in_sg)) {

                error_report("Too many write descriptors in indirect table");

                exit(1);

            }

            elem->in_addr[elem->in_num] = vring_desc_addr(desc_pa, i);

            sg = &elem->in_sg[elem->in_num++];

        } else {

            if (elem->out_num >= ARRAY_SIZE(elem->out_sg)) {

                error_report("Too many read descriptors in indirect table");

                exit(1);

            }

            elem->out_addr[elem->out_num] = vring_desc_addr(desc_pa, i);

            sg = &elem->out_sg[elem->out_num++];

        }