From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:49175) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bSRSI-0008Nd-GQ for qemu-devel@nongnu.org; Wed, 27 Jul 2016 12:13:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bSRSE-00006o-MV for qemu-devel@nongnu.org; Wed, 27 Jul 2016 12:13:09 -0400 Received: from mx1.redhat.com ([209.132.183.28]:45394) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bSRSE-00006i-E8 for qemu-devel@nongnu.org; Wed, 27 Jul 2016 12:13:06 -0400 References: <1469633876-23209-1-git-send-email-ppandit@redhat.com> From: Eric Blake Message-ID: <5798DD90.1050309@redhat.com> Date: Wed, 27 Jul 2016 10:13:04 -0600 MIME-Version: 1.0 In-Reply-To: <1469633876-23209-1-git-send-email-ppandit@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="8qKRSCn1QFnosncfnQnJXe9TiVCUeSr97" Subject: Re: [Qemu-devel] [PATCH] virtio: check vring descriptor buffer length List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: P J P , Qemu Developers Cc: Li Qiang , Prasad J Pandit , Stefan Hajnoczi , "Michael S. Tsirkin" This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8qKRSCn1QFnosncfnQnJXe9TiVCUeSr97 From: Eric Blake To: P J P , Qemu Developers Cc: Li Qiang , Prasad J Pandit , Stefan Hajnoczi , "Michael S. Tsirkin" Message-ID: <5798DD90.1050309@redhat.com> Subject: Re: [Qemu-devel] [PATCH] virtio: check vring descriptor buffer length References: <1469633876-23209-1-git-send-email-ppandit@redhat.com> In-Reply-To: <1469633876-23209-1-git-send-email-ppandit@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 07/27/2016 09:37 AM, P J P wrote: > From: Prasad J Pandit >=20 > virtio back end uses set of buffers to facilitate I/O operations. > An infinite loop unfolds in virtqueue_pop() if a buffer was > of zero size. Add check to avoid it. >=20 > Reported-by: Li Qiang > Signed-off-by: Prasad J Pandit > --- > hw/virtio/virtio.c | 5 +++++ > 1 file changed, 5 insertions(+) >=20 > diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c > index 30ede3d..8de896c 100644 > --- a/hw/virtio/virtio.c > +++ b/hw/virtio/virtio.c > @@ -457,6 +457,11 @@ static void virtqueue_map_desc(unsigned int *p_num= _sg, hwaddr *addr, struct iove > unsigned num_sg =3D *p_num_sg; > assert(num_sg <=3D max_num_sg); > =20 > + if (!sz) { > + error_report("virtio: zero sized buffers are not allowed"); > + exit(1); > + } This lets the guest forcefully exit qemu. Isn't it better to just make the guest error degrade the virtio device into a broken state (the guest can no longer use it, but qemu doesn't exit)? --=20 Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org --8qKRSCn1QFnosncfnQnJXe9TiVCUeSr97 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Public key at http://people.redhat.com/eblake/eblake.gpg Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJXmN2QAAoJEKeha0olJ0Nq3GwH+QEf7zmO0q5DzL5ByjC1GlFm hV4qnzmfTpa9WZ8eECOljdD5aeJZjtNW0aQ0z2jYl2AV1YlcGnPzNg9uVETmwix+ m+VpVf4ZJPrWCjcyZr0bzoGKt8xOrE1LvkvcKmDZ7tRbVXuGoPqLx2SfSAhhA3dv 2xS/npsE5823Tk/sRjFFeqkk1UkDULxwy34o21CAzS5VftYiQDlE8ISRB56UXtu2 4Jy7/9mKjpJT2BhnI1GZ6cN+SyrR5+CdujlUm3KhhPEqIzXuQSn2VVPFib9loKUZ zDLgD3yat+Qb3BA2GgAzhIOe9CY41B0zcHeyKqTBh4ocqAr812dd0sE3/iAXYmc= =vOjW -----END PGP SIGNATURE----- --8qKRSCn1QFnosncfnQnJXe9TiVCUeSr97--