* drivers/vhost: sizing of ubuf_info and heads
@ 2013-03-08 2:57 ` Rusty Russell
0 siblings, 0 replies; 2+ messages in thread
From: Rusty Russell @ 2013-03-08 2:57 UTC (permalink / raw)
To: mst; +Cc: netdev, virtualization
Hi Michael,
I'm a bit confused about why ubuf_info and heads are UIO_MAXIOV
length arrays, rather than being the size of the ring? In particular,
this is suspicious:
linux/drivers/vhost/net.c:342: struct ubuf_info *ubuf = &vq->ubuf_info[head];
And it seems to assume we trust head: a malicious guest could put the
same head entry in the ring twice, and we will get two callbacks on the
same value. I don't know what that will do, but I'm not sure it's
harmless.
Thanks,
Rusty.
^ permalink raw reply [flat|nested] 2+ messages in thread
* drivers/vhost: sizing of ubuf_info and heads
@ 2013-03-08 2:57 ` Rusty Russell
0 siblings, 0 replies; 2+ messages in thread
From: Rusty Russell @ 2013-03-08 2:57 UTC (permalink / raw)
To: mst; +Cc: netdev, virtualization
Hi Michael,
I'm a bit confused about why ubuf_info and heads are UIO_MAXIOV
length arrays, rather than being the size of the ring? In particular,
this is suspicious:
linux/drivers/vhost/net.c:342: struct ubuf_info *ubuf = &vq->ubuf_info[head];
And it seems to assume we trust head: a malicious guest could put the
same head entry in the ring twice, and we will get two callbacks on the
same value. I don't know what that will do, but I'm not sure it's
harmless.
Thanks,
Rusty.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-03-08 2:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-08 2:57 drivers/vhost: sizing of ubuf_info and heads Rusty Russell
2013-03-08 2:57 ` Rusty Russell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.