Commit f6882698 authored Apr 25, 2017 by P J P Committed by Paolo Bonzini May 05, 2017

vmw_pvscsi: check message ring page count at initialisation



A guest could set the message ring page count to zero, resulting in
infinite loop. Add check to avoid it.

Reported-by: YY Z <bigbird475958471@gmail.com>
Signed-off-by: P J P <ppandit@redhat.com>
Message-Id: <20170425130623.3649-1-ppandit@redhat.com>
Reviewed-by: Dmitry Fleytman <dmitry@daynix.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent c8c33fca

hw/scsi/vmw_pvscsi.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -202,7 +202,7 @@ pvscsi_ring_init_msg(PVSCSIRingInfo m, PVSCSICmdDescSetupMsgRing ri)
		uint32_t len_log2;
		uint32_t ring_size;

		if (ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
		if (!ri->numPages \|\| ri->numPages > PVSCSI_SETUP_MSG_RING_MAX_NUM_PAGES) {
		return -1;
		}
		ring_size = ri->numPages * PVSCSI_MAX_NUM_MSG_ENTRIES_PER_PAGE;