From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:50779)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QJQyA-0003Aj-5O
	for qemu-devel@nongnu.org; Mon, 09 May 2011 09:57:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QJQy9-0007jg-0O
	for qemu-devel@nongnu.org; Mon, 09 May 2011 09:57:54 -0400
Received: from mail-yx0-f173.google.com ([209.85.213.173]:58579)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1QJQy8-0007jc-UD
	for qemu-devel@nongnu.org; Mon, 09 May 2011 09:57:52 -0400
Received: by yxk8 with SMTP id 8so2141331yxk.4
	for <qemu-devel@nongnu.org>; Mon, 09 May 2011 06:57:49 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <1304890147-26679-1-git-send-email-stefanha@linux.vnet.ibm.com>
References: <1304890147-26679-1-git-send-email-stefanha@linux.vnet.ibm.com>
Date: Mon, 9 May 2011 14:57:49 +0100
Message-ID: <BANLkTikXhozSOfWwAbAXr4i-oK9CFJ3n6g@mail.gmail.com>
From: Stefan Hajnoczi <stefanha@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] [PATCH] virtio: guard against negative vq notifies
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Justin M. Forbes" <jforbes@redhat.com>
Cc: qemu-devel@nongnu.org, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>, "Michael S. Tsirkin" <mst@redhat.com>

On Sun, May 8, 2011 at 10:29 PM, Stefan Hajnoczi
<stefanha@linux.vnet.ibm.com> wrote:
> The virtio_queue_notify() function checks that the virtqueue number is
> less than the maximum number of virtqueues. =A0A signed comparison is use=
d
> but the virtqueue number could be negative if a buggy or malicious guest
> is run. =A0This results in memory accesses outside of the virtqueue array=
.
>
> It is risky doing input validation in common code instead of at the
> guest<->host boundary. =A0Note that virtio_queue_set_addr(),
> virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio
> functions do *not* validate the virtqueue number argument.
>
> Instead of fixing the comparison in virtio_queue_notify(), move the
> comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where
> we have a uint32_t value and can avoid ever calling into common virtio
> code if the virtqueue number is invalid.
>
> Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
> ---
> =A0hw/syborg_virtio.c | =A0 =A04 +++-
> =A0hw/virtio-pci.c =A0 =A0| =A0 =A04 +++-
> =A0hw/virtio.c =A0 =A0 =A0 =A0| =A0 =A04 +---
> =A03 files changed, 7 insertions(+), 5 deletions(-)

Please consider this patch for the stable tree once Michael is happy:
http://patchwork.ozlabs.org/patch/94604/

Stefan