[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to dro
From: |
Stefan Hajnoczi |
Subject: |
Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr |
Date: |
Fri, 6 Jun 2014 15:05:32 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Fri, Jun 06, 2014 at 09:53:27AM +0800, Fam Zheng wrote:
> @@ -200,17 +193,12 @@ static int process_request(VirtIOBlockDataPlane *s,
> VirtQueueElement *elem)
> }
> iov_discard_front(&iov, &out_num, sizeof(outhdr));
>
> + /* This is always true because it is only 1 byte, but checked here in
> case
> + * the header gets bigger in the future. */
> + assert(in_iov[in_num - 1].iov_len >= sizeof(*inhdr));
> /* Grab inhdr for later */
> - in_size = iov_size(in_iov, in_num);
> - if (in_size < sizeof(struct virtio_blk_inhdr)) {
> - error_report("virtio_blk request inhdr too short");
> - return -EFAULT;
> - }
This assertion can be triggered by the guest. It even accesses
undefined memory when in_num == 0.
Please be careful, we need to validate guest input.
Stefan
- [Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 1/9] virtio-blk: Move VirtIOBlockReq to header, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 2/9] virtio-blk: Convert VirtIOBlockReq.elem to pointer, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 3/9] virtio-blk: Drop bounce buffer from dataplane code, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 4/9] virtio-blk: Drop VirtIOBlockRequest.read, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 5/9] virtio-blk: Replace VirtIOBlockRequest with VirtIOBlockReq, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr, Fam Zheng, 2014/06/05
- Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr,
Stefan Hajnoczi <=
- [Qemu-devel] [PATCH v3 7/9] virtio-blk: Convert VirtIOBlockReq.out to structrue, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 8/9] virtio-blk: Fill in VirtIOBlockReq.out in dataplane code, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 9/9] virtio-blk: Fix and clean up the in_sg and out_sg check, Fam Zheng, 2014/06/05
- Re: [Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Paolo Bonzini, 2014/06/06
- Re: [Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Stefan Hajnoczi, 2014/06/06