Message ID | 1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com |
---|---|
State | New |
Headers | show |
Am 26.03.2015 um 16:35 schrieb Cornelia Huck: > VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be > able to trigger a write beyond the VirtQueue structure. > > Cc: qemu-stable@nongnu.org > Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> > Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> > --- > hw/s390x/virtio-ccw.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c > index 130535c..ceb6a45 100644 > --- a/hw/s390x/virtio-ccw.c > +++ b/hw/s390x/virtio-ccw.c > @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, > { > VirtIODevice *vdev = virtio_ccw_get_vdev(sch); > > - if (index > VIRTIO_PCI_QUEUE_MAX) { > + if (index >= VIRTIO_PCI_QUEUE_MAX) { > return -EINVAL; > } >
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c index 130535c..ceb6a45 100644 --- a/hw/s390x/virtio-ccw.c +++ b/hw/s390x/virtio-ccw.c @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align, { VirtIODevice *vdev = virtio_ccw_get_vdev(sch); - if (index > VIRTIO_PCI_QUEUE_MAX) { + if (index >= VIRTIO_PCI_QUEUE_MAX) { return -EINVAL; }