[for-2.3,1/4] virtio-ccw: fix range check for SET_VQ

Message ID	1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> Gateway: Authorized Use Only! Violators will be prosecuted for <qemu-devel@nongnu.org> from <cornelia.huck@de.ibm.com>; Thu, 26 Mar 2015 15:36:08 -0000 Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 26 Mar 2015 15:36:07 -0000 From: Cornelia Huck <cornelia.huck@de.ibm.com> To: qemu-devel@nongnu.org Date: Thu, 26 Mar 2015 16:35:59 +0100 Message-Id: <1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com> In-Reply-To: <1427384162-4994-1-git-send-email-cornelia.huck@de.ibm.com> References: <1427384162-4994-1-git-send-email-cornelia.huck@de.ibm.com> Cc: Cornelia Huck <cornelia.huck@de.ibm.com>, borntraeger@de.ibm.com, jfrei@linux.vnet.ibm.com, agraf@suse.de, qemu-stable@nongnu.org Subject: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Message ID

1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com

State

New

Headers

From: Cornelia Huck <cornelia.huck@de.ibm.com>
To: qemu-devel@nongnu.org
Date: Thu, 26 Mar 2015 16:35:59 +0100
Message-Id: <1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com>
In-Reply-To: <1427384162-4994-1-git-send-email-cornelia.huck@de.ibm.com>
References: <1427384162-4994-1-git-send-email-cornelia.huck@de.ibm.com>
Cc: Cornelia Huck <cornelia.huck@de.ibm.com>, borntraeger@de.ibm.com,
	jfrei@linux.vnet.ibm.com, agraf@suse.de, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for
	SET_VQ
Precedence: list
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Commit Message

Cornelia Huck March 26, 2015, 3:35 p.m. UTC

VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 hw/s390x/virtio-ccw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Christian Borntraeger March 27, 2015, 9:04 a.m. UTC | #1

Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
> 
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

> ---
>  hw/s390x/virtio-ccw.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
>  {
>      VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
> 
> -    if (index > VIRTIO_PCI_QUEUE_MAX) {
> +    if (index >= VIRTIO_PCI_QUEUE_MAX) {
>          return -EINVAL;
>      }
>

diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 130535c..ceb6a45 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -266,7 +266,7 @@  static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
 {
     VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
 
-    if (index > VIRTIO_PCI_QUEUE_MAX) {
+    if (index >= VIRTIO_PCI_QUEUE_MAX) {
         return -EINVAL;
     }

[for-2.3,1/4] virtio-ccw: fix range check for SET_VQ

Commit Message

Comments

Patch