* [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
@ 2015-02-12 3:05 Jason Wang
2015-02-13 20:18 ` Don Koch
2015-02-13 20:50 ` Paolo Bonzini
0 siblings, 2 replies; 6+ messages in thread
From: Jason Wang @ 2015-02-12 3:05 UTC (permalink / raw)
To: qemu-devel; +Cc: Jason Wang, qemu-stable, Anthony Liguori, Michael S. Tsirkin
We don't validate the existence of handle_output which may let a buggy
guest to trigger a SIGSEV easily. Fix this by validate its existence
before.
Cc: qemu-stable@nongnu.org
Cc: Anthony Liguori <aliguori@amazon.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
hw/virtio/virtio.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index d735343..ffc22e8 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -761,6 +761,10 @@ void virtio_queue_notify_vq(VirtQueue *vq)
{
if (vq->vring.desc) {
VirtIODevice *vdev = vq->vdev;
+
+ if (!vq->handle_output) {
+ return;
+ }
trace_virtio_queue_notify(vdev, vq - vdev->vq, vq);
vq->handle_output(vdev, vq);
}
--
1.9.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
2015-02-12 3:05 [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it Jason Wang
@ 2015-02-13 20:18 ` Don Koch
2015-02-15 2:32 ` Jason Wang
2015-02-13 20:50 ` Paolo Bonzini
1 sibling, 1 reply; 6+ messages in thread
From: Don Koch @ 2015-02-13 20:18 UTC (permalink / raw)
To: Jason Wang; +Cc: Michael S. Tsirkin, qemu-devel, Anthony Liguori, qemu-stable
On Thu, 12 Feb 2015 11:05:17 +0800
Jason Wang <jasowang@redhat.com> wrote:
> We don't validate the existence of handle_output which may let a buggy
> guest to trigger a SIGSEV easily. Fix this by validate its existence
> before.
>
> Cc: qemu-stable@nongnu.org
> Cc: Anthony Liguori <aliguori@amazon.com>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
> ---
> hw/virtio/virtio.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index d735343..ffc22e8 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -761,6 +761,10 @@ void virtio_queue_notify_vq(VirtQueue *vq)
> {
> if (vq->vring.desc) {
> VirtIODevice *vdev = vq->vdev;
> +
> + if (!vq->handle_output) {
> + return;
> + }
Maybe better to just change line 762 to:
if (vq->vring.desc && vq->handle_output) {
-d
> trace_virtio_queue_notify(vdev, vq - vdev->vq, vq);
> vq->handle_output(vdev, vq);
> }
> --
> 1.9.1
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
2015-02-12 3:05 [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it Jason Wang
2015-02-13 20:18 ` Don Koch
@ 2015-02-13 20:50 ` Paolo Bonzini
2015-02-15 2:35 ` Jason Wang
1 sibling, 1 reply; 6+ messages in thread
From: Paolo Bonzini @ 2015-02-13 20:50 UTC (permalink / raw)
To: Jason Wang, qemu-devel
On 12/02/2015 04:05, Jason Wang wrote:
> We don't validate the existence of handle_output which may let a buggy
> guest to trigger a SIGSEV easily. Fix this by validate its existence
> before.
>
> Cc: qemu-stable@nongnu.org
> Cc: Anthony Liguori <aliguori@amazon.com>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Which queue was causing this?
Paolo
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
2015-02-13 20:18 ` Don Koch
@ 2015-02-15 2:32 ` Jason Wang
0 siblings, 0 replies; 6+ messages in thread
From: Jason Wang @ 2015-02-15 2:32 UTC (permalink / raw)
To: Don Koch; +Cc: Michael S. Tsirkin, qemu-devel, Anthony Liguori, qemu-stable
On Sat, Feb 14, 2015 at 4:18 AM, Don Koch <dkoch@verizon.com> wrote:
> On Thu, 12 Feb 2015 11:05:17 +0800
> Jason Wang <jasowang@redhat.com> wrote:
>
>> We don't validate the existence of handle_output which may let a
>> buggy
>> guest to trigger a SIGSEV easily. Fix this by validate its existence
>> before.
>>
>> Cc: qemu-stable@nongnu.org
>> Cc: Anthony Liguori <aliguori@amazon.com>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>> ---
>> hw/virtio/virtio.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
>> index d735343..ffc22e8 100644
>> --- a/hw/virtio/virtio.c
>> +++ b/hw/virtio/virtio.c
>> @@ -761,6 +761,10 @@ void virtio_queue_notify_vq(VirtQueue *vq)
>> {
>> if (vq->vring.desc) {
>> VirtIODevice *vdev = vq->vdev;
>> +
>> + if (!vq->handle_output) {
>> + return;
>> + }
>
> Maybe better to just change line 762 to:
> if (vq->vring.desc && vq->handle_output) {
>
> -d
Yes, better.
>
>
>> trace_virtio_queue_notify(vdev, vq - vdev->vq, vq);
>> vq->handle_output(vdev, vq);
>> }
>> --
>> 1.9.1
>>
>>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
2015-02-13 20:50 ` Paolo Bonzini
@ 2015-02-15 2:35 ` Jason Wang
2015-02-16 9:29 ` Paolo Bonzini
0 siblings, 1 reply; 6+ messages in thread
From: Jason Wang @ 2015-02-15 2:35 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel
On Sat, Feb 14, 2015 at 4:50 AM, Paolo Bonzini <pbonzini@redhat.com>
wrote:
>
>
> On 12/02/2015 04:05, Jason Wang wrote:
>> We don't validate the existence of handle_output which may let a
>> buggy
>> guest to trigger a SIGSEV easily. Fix this by validate its existence
>> before.
>>
>> Cc: qemu-stable@nongnu.org
>> Cc: Anthony Liguori <aliguori@amazon.com>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>
> Which queue was causing this?
>
> Paolo
The queue that was not used by the device. Though qemu does not use
them, but it allows guest to do some basic programming. e.g: (for 1q
virtio-net)
1) write 10 to queue_sel
2) setup an arbitrary pfn
3) then notify queue 10
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it
2015-02-15 2:35 ` Jason Wang
@ 2015-02-16 9:29 ` Paolo Bonzini
0 siblings, 0 replies; 6+ messages in thread
From: Paolo Bonzini @ 2015-02-16 9:29 UTC (permalink / raw)
To: Jason Wang; +Cc: qemu-devel
On 15/02/2015 03:35, Jason Wang wrote:
>
>
> On Sat, Feb 14, 2015 at 4:50 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
>>
>>
>> On 12/02/2015 04:05, Jason Wang wrote:
>>> We don't validate the existence of handle_output which may let a buggy
>>> guest to trigger a SIGSEV easily. Fix this by validate its existence
>>> before.
>>>
>>> Cc: qemu-stable@nongnu.org
>>> Cc: Anthony Liguori <aliguori@amazon.com>
>>> Cc: Michael S. Tsirkin <mst@redhat.com>
>>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>>
>> Which queue was causing this?
>>
>> Paolo
>
> The queue that was not used by the device. Though qemu does not use
> them, but it allows guest to do some basic programming. e.g: (for 1q
> virtio-net)
>
> 1) write 10 to queue_sel
> 2) setup an arbitrary pfn
> 3) then notify queue 10
Oh, I see.
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-02-16 9:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-02-12 3:05 [Qemu-devel] [PATCH] virtio: validate the existence of handle_output before calling it Jason Wang
2015-02-13 20:18 ` Don Koch
2015-02-15 2:32 ` Jason Wang
2015-02-13 20:50 ` Paolo Bonzini
2015-02-15 2:35 ` Jason Wang
2015-02-16 9:29 ` Paolo Bonzini
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).