From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:47330) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QoW7r-0000LF-Dk for qemu-devel@nongnu.org; Wed, 03 Aug 2011 03:44:24 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QoW7q-0008AI-AF for qemu-devel@nongnu.org; Wed, 03 Aug 2011 03:44:23 -0400 Received: from e7.ny.us.ibm.com ([32.97.182.137]:37612) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QoW7q-0008A2-7P for qemu-devel@nongnu.org; Wed, 03 Aug 2011 03:44:22 -0400 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e7.ny.us.ibm.com (8.14.4/8.13.1) with ESMTP id p737IPWc007870 for ; Wed, 3 Aug 2011 03:18:25 -0400 Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p737iIWM137540 for ; Wed, 3 Aug 2011 03:44:19 -0400 Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1]) by d03av02.boulder.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p731hpcG007744 for ; Tue, 2 Aug 2011 19:43:51 -0600 From: Supriya Kannery Date: Wed, 03 Aug 2011 13:26:05 +0530 Message-Id: <20110803075605.20746.94441.sendpatchset@skannery> Subject: [Qemu-devel] [Patch] virtio: security patch List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org Cc: Stefan Hajnoczi , "Michael S. Tsirkin" For security purpose, convert 'int i' to 'unsigned int i' in virtio functions, so that range of index is restricted to positive value. Signed-off-by: Supriya Kannery (supriyak@linux.vnet.ibm.com) --- hw/virtio.c | 27 +++++++++++++++++---------- hw/virtio.h | 3 ++- 2 files changed, 19 insertions(+), 11 deletions(-) Index: qemu/hw/virtio.c =================================================================== --- qemu.orig/hw/virtio.c +++ qemu/hw/virtio.c @@ -101,28 +101,32 @@ static void virtqueue_init(VirtQueue *vq VIRTIO_PCI_VRING_ALIGN); } -static inline uint64_t vring_desc_addr(target_phys_addr_t desc_pa, int i) +static inline uint64_t vring_desc_addr(target_phys_addr_t desc_pa, + unsigned int i) { target_phys_addr_t pa; pa = desc_pa + sizeof(VRingDesc) * i + offsetof(VRingDesc, addr); return ldq_phys(pa); } -static inline uint32_t vring_desc_len(target_phys_addr_t desc_pa, int i) +static inline uint32_t vring_desc_len(target_phys_addr_t desc_pa, + unsigned int i) { target_phys_addr_t pa; pa = desc_pa + sizeof(VRingDesc) * i + offsetof(VRingDesc, len); return ldl_phys(pa); } -static inline uint16_t vring_desc_flags(target_phys_addr_t desc_pa, int i) +static inline uint16_t vring_desc_flags(target_phys_addr_t desc_pa, + unsigned int i) { target_phys_addr_t pa; pa = desc_pa + sizeof(VRingDesc) * i + offsetof(VRingDesc, flags); return lduw_phys(pa); } -static inline uint16_t vring_desc_next(target_phys_addr_t desc_pa, int i) +static inline uint16_t vring_desc_next(target_phys_addr_t desc_pa, + unsigned int i) { target_phys_addr_t pa; pa = desc_pa + sizeof(VRingDesc) * i + offsetof(VRingDesc, next); @@ -143,7 +147,7 @@ static inline uint16_t vring_avail_idx(V return lduw_phys(pa); } -static inline uint16_t vring_avail_ring(VirtQueue *vq, int i) +static inline uint16_t vring_avail_ring(VirtQueue *vq, unsigned int i) { target_phys_addr_t pa; pa = vq->vring.avail + offsetof(VRingAvail, ring[i]); @@ -155,14 +159,16 @@ static inline uint16_t vring_used_event( return vring_avail_ring(vq, vq->vring.num); } -static inline void vring_used_ring_id(VirtQueue *vq, int i, uint32_t val) +static inline void vring_used_ring_id(VirtQueue *vq, unsigned int i, + uint32_t val) { target_phys_addr_t pa; pa = vq->vring.used + offsetof(VRingUsed, ring[i].id); stl_phys(pa, val); } -static inline void vring_used_ring_len(VirtQueue *vq, int i, uint32_t val) +static inline void vring_used_ring_len(VirtQueue *vq, unsigned int i, + uint32_t val) { target_phys_addr_t pa; pa = vq->vring.used + offsetof(VRingUsed, ring[i].len); @@ -334,10 +340,11 @@ static unsigned virtqueue_next_desc(targ return next; } -int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes) +int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes, + unsigned int out_bytes) { unsigned int idx; - int total_bufs, in_total, out_total; + unsigned int total_bufs, in_total, out_total; idx = vq->last_avail_idx; @@ -345,7 +352,7 @@ int virtqueue_avail_bytes(VirtQueue *vq, while (virtqueue_num_heads(vq, idx)) { unsigned int max, num_bufs, indirect = 0; target_phys_addr_t desc_pa; - int i; + unsigned int i; max = vq->vring.num; num_bufs = total_bufs; Index: qemu/hw/virtio.h =================================================================== --- qemu.orig/hw/virtio.h +++ qemu/hw/virtio.h @@ -156,7 +156,8 @@ void virtqueue_fill(VirtQueue *vq, const void virtqueue_map_sg(struct iovec *sg, target_phys_addr_t *addr, size_t num_sg, int is_write); int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem); -int virtqueue_avail_bytes(VirtQueue *vq, int in_bytes, int out_bytes); +int virtqueue_avail_bytes(VirtQueue *vq, unsigned int in_bytes, + unsigned int out_bytes); void virtio_notify(VirtIODevice *vdev, VirtQueue *vq);