From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:44225)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <borntraeger@de.ibm.com>) id 1YbQCV-00076p-5C
	for qemu-devel@nongnu.org; Fri, 27 Mar 2015 05:05:12 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <borntraeger@de.ibm.com>) id 1YbQCP-00009e-Aw
	for qemu-devel@nongnu.org; Fri, 27 Mar 2015 05:05:11 -0400
Received: from e06smtp14.uk.ibm.com ([195.75.94.110]:48311)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <borntraeger@de.ibm.com>) id 1YbQCP-0008Vz-1j
	for qemu-devel@nongnu.org; Fri, 27 Mar 2015 05:05:05 -0400
Received: from /spool/local
	by e06smtp14.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <qemu-devel@nongnu.org> from <borntraeger@de.ibm.com>;
	Fri, 27 Mar 2015 09:05:02 -0000
Message-ID: <55151D3A.1050503@de.ibm.com>
Date: Fri, 27 Mar 2015 10:04:58 +0100
From: Christian Borntraeger <borntraeger@de.ibm.com>
MIME-Version: 1.0
References: <1427384162-4994-1-git-send-email-cornelia.huck@de.ibm.com>
	<1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com>
In-Reply-To: <1427384162-4994-2-git-send-email-cornelia.huck@de.ibm.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check
 for SET_VQ
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Cornelia Huck <cornelia.huck@de.ibm.com>, qemu-devel@nongnu.org
Cc: jfrei@linux.vnet.ibm.com, agraf@suse.de, qemu-stable@nongnu.org

Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
> 
> Cc: qemu-stable@nongnu.org
> Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>

> ---
>  hw/s390x/virtio-ccw.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
>  {
>      VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
> 
> -    if (index > VIRTIO_PCI_QUEUE_MAX) {
> +    if (index >= VIRTIO_PCI_QUEUE_MAX) {
>          return -EINVAL;
>      }
>