From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50574)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Wstq3-0002i5-Vs
	for qemu-devel@nongnu.org; Fri, 06 Jun 2014 09:05:50 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Wstpx-0003IO-6m
	for qemu-devel@nongnu.org; Fri, 06 Jun 2014 09:05:43 -0400
Received: from mail-wg0-x231.google.com ([2a00:1450:400c:c00::231]:65123)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1Wstpw-0003IA-UE
	for qemu-devel@nongnu.org; Fri, 06 Jun 2014 09:05:37 -0400
Received: by mail-wg0-f49.google.com with SMTP id m15so2822756wgh.32
	for <qemu-devel@nongnu.org>; Fri, 06 Jun 2014 06:05:36 -0700 (PDT)
Date: Fri, 6 Jun 2014 15:05:32 +0200
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20140606130532.GB14322@stefanha-thinkpad>
References: <1402019610-2985-1-git-send-email-famz@redhat.com>
	<1402019610-2985-7-git-send-email-famz@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1402019610-2985-7-git-send-email-famz@redhat.com>
Subject: Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in
 to drop VirtIOBlockReq.inhdr
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Fam Zheng <famz@redhat.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Paolo Bonzini <pbonzini@redhat.com>, qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@redhat.com>

On Fri, Jun 06, 2014 at 09:53:27AM +0800, Fam Zheng wrote:
> @@ -200,17 +193,12 @@ static int process_request(VirtIOBlockDataPlane *s, VirtQueueElement *elem)
>      }
>      iov_discard_front(&iov, &out_num, sizeof(outhdr));
>  
> +    /* This is always true because it is only 1 byte, but checked here in case
> +     * the header gets bigger in the future. */
> +    assert(in_iov[in_num - 1].iov_len >= sizeof(*inhdr));
>      /* Grab inhdr for later */
> -    in_size = iov_size(in_iov, in_num);
> -    if (in_size < sizeof(struct virtio_blk_inhdr)) {
> -        error_report("virtio_blk request inhdr too short");
> -        return -EFAULT;
> -    }

This assertion can be triggered by the guest.  It even accesses
undefined memory when in_num == 0.

Please be careful, we need to validate guest input.

Stefan