From: Nelson Elhage <nelhage@ksplice.com> Date: Thu, 19 May 2011 13:23:17 -0400 Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors. We were previously allowing arbitrarily-long descriptors, which could lead to a buffer overflow in the qemu-kvm process. --- qemu-kvm-0.14.0.orig/hw/virtio.c +++ qemu-kvm-0.14.0/hw/virtio.c @@ -336,6 +336,11 @@ max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); num_bufs = i = 0; desc_pa = vring_desc_addr(desc_pa, i); + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } do { @@ -406,6 +411,11 @@ max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc); desc_pa = vring_desc_addr(desc_pa, i); i = 0; + + if (max > VIRTQUEUE_MAX_SIZE) { + error_report("Too-large indirect descriptor"); + exit(1); + } } /* Collect all the descriptors */