* drivers/vhost: sizing of ubuf_info and heads
@ 2013-03-08 2:57 Rusty Russell
0 siblings, 0 replies; only message in thread
From: Rusty Russell @ 2013-03-08 2:57 UTC (permalink / raw)
To: mst; +Cc: netdev, virtualization
Hi Michael,
I'm a bit confused about why ubuf_info and heads are UIO_MAXIOV
length arrays, rather than being the size of the ring? In particular,
this is suspicious:
linux/drivers/vhost/net.c:342: struct ubuf_info *ubuf = &vq->ubuf_info[head];
And it seems to assume we trust head: a malicious guest could put the
same head entry in the ring twice, and we will get two callbacks on the
same value. I don't know what that will do, but I'm not sure it's
harmless.
Thanks,
Rusty.
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-03-08 2:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-08 2:57 drivers/vhost: sizing of ubuf_info and heads Rusty Russell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).