From: Nelson Elhage <nelhage@ksplice.com>
Date: Thu, 19 May 2011 13:23:17 -0400
Subject: [PATCH] virtqueue: Sanity-check the length of indirect descriptors.
We were previously allowing arbitrarily-long descriptors, which could lead to a
buffer overflow in the qemu-kvm process.
--- qemu-kvm-0.14.0.orig/hw/virtio.c
+++ qemu-kvm-0.14.0/hw/virtio.c
@@ -336,6 +336,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
num_bufs = i = 0;
desc_pa = vring_desc_addr(desc_pa, i);
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
do {
@@ -406,6 +411,11 @@
max = vring_desc_len(desc_pa, i) / sizeof(VRingDesc);
desc_pa = vring_desc_addr(desc_pa, i);
i = 0;
+
+ if (max > VIRTQUEUE_MAX_SIZE) {
+ error_report("Too-large indirect descriptor");
+ exit(1);
+ }
}
/* Collect all the descriptors */
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
7466124ceb224e36064c717a5194e630
>
files
>
13
