From patchwork Thu Apr 25 07:43:27 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jason Wang <jasowang@redhat.com>
X-Patchwork-Id: 239412
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [208.118.235.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by ozlabs.org (Postfix) with ESMTPS id EB19F2C00CA
	for <incoming@patchwork.ozlabs.org>;
	Thu, 25 Apr 2013 17:53:37 +1000 (EST)
Received: from localhost ([::1]:58584 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1UVGzo-00005H-7T
	for incoming@patchwork.ozlabs.org; Thu, 25 Apr 2013 03:53:36 -0400
Received: from eggs.gnu.org ([208.118.235.92]:41153)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UVGzS-0008Uv-QC
	for qemu-devel@nongnu.org; Thu, 25 Apr 2013 03:53:15 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UVGzR-0006FE-LG
	for qemu-devel@nongnu.org; Thu, 25 Apr 2013 03:53:14 -0400
Received: from mx1.redhat.com ([209.132.183.28]:44461)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jasowang@redhat.com>) id 1UVGzQ-0006F4-WE
	for qemu-devel@nongnu.org; Thu, 25 Apr 2013 03:53:13 -0400
Received: from int-mx10.intmail.prod.int.phx2.redhat.com
	(int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r3P7rC1n002043
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Thu, 25 Apr 2013 03:53:12 -0400
Received: from amd-6168-8-1.englab.nay.redhat.com
	(amd-6168-8-1.englab.nay.redhat.com [10.66.104.52])
	by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with
	ESMTP id r3P7r9cV029785; Thu, 25 Apr 2013 03:53:10 -0400
From: Jason Wang <jasowang@redhat.com>
To: aliguori@us.ibm.com, qemu-devel@nongnu.org, mst@redhat.com
Date: Thu, 25 Apr 2013 15:43:27 +0800
Message-Id: <1366875807-3491-1-git-send-email-jasowang@redhat.com>
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 209.132.183.28
Cc: Jason Wang <jasowang@redhat.com>
Subject: [Qemu-devel] [PATCH] virtio: abort on zero config length
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

In fact we don't support zero length config length for virtio device. And it can
lead outbound memory access. So abort on zero config length to catch the bug
earlier.

Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
---
 hw/virtio/virtio.c |    7 ++-----
 1 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 1c2282c..a6fa667 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -923,6 +923,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
                  uint16_t device_id, size_t config_size)
 {
     int i;
+    assert(config_size);
     vdev->device_id = device_id;
     vdev->status = 0;
     vdev->isr = 0;
@@ -938,11 +939,7 @@ void virtio_init(VirtIODevice *vdev, const char *name,
 
     vdev->name = name;
     vdev->config_len = config_size;
-    if (vdev->config_len) {
-        vdev->config = g_malloc0(config_size);
-    } else {
-        vdev->config = NULL;
-    }
+    vdev->config = g_malloc0(config_size);
     vdev->vmstate = qemu_add_vm_change_state_handler(virtio_vmstate_change,
                                                      vdev);
 }