Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to dro

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to dro

From:	Stefan Hajnoczi
Subject:	Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr
Date:	Fri, 6 Jun 2014 15:05:32 +0200
User-agent:	Mutt/1.5.23 (2014-03-12)

On Fri, Jun 06, 2014 at 09:53:27AM +0800, Fam Zheng wrote:
> @@ -200,17 +193,12 @@ static int process_request(VirtIOBlockDataPlane *s, 
> VirtQueueElement *elem)
>      }
>      iov_discard_front(&iov, &out_num, sizeof(outhdr));
>  
> +    /* This is always true because it is only 1 byte, but checked here in 
> case
> +     * the header gets bigger in the future. */
> +    assert(in_iov[in_num - 1].iov_len >= sizeof(*inhdr));
>      /* Grab inhdr for later */
> -    in_size = iov_size(in_iov, in_num);
> -    if (in_size < sizeof(struct virtio_blk_inhdr)) {
> -        error_report("virtio_blk request inhdr too short");
> -        return -EFAULT;
> -    }

This assertion can be triggered by the guest.  It even accesses
undefined memory when in_num == 0.

Please be careful, we need to validate guest input.

Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 1/9] virtio-blk: Move VirtIOBlockReq to header, Fam Zheng, 2014/06/05
  - Re: [Qemu-devel] [PATCH v3 1/9] virtio-blk: Move VirtIOBlockReq to header, Stefan Hajnoczi, 2014/06/06
- [Qemu-devel] [PATCH v3 2/9] virtio-blk: Convert VirtIOBlockReq.elem to pointer, Fam Zheng, 2014/06/05
  - Re: [Qemu-devel] [PATCH v3 2/9] virtio-blk: Convert VirtIOBlockReq.elem to pointer, Stefan Hajnoczi, 2014/06/06
- [Qemu-devel] [PATCH v3 3/9] virtio-blk: Drop bounce buffer from dataplane code, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 4/9] virtio-blk: Drop VirtIOBlockRequest.read, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 5/9] virtio-blk: Replace VirtIOBlockRequest with VirtIOBlockReq, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr, Fam Zheng, 2014/06/05
  - Re: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr, Stefan Hajnoczi <=
- [Qemu-devel] [PATCH v3 7/9] virtio-blk: Convert VirtIOBlockReq.out to structrue, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 8/9] virtio-blk: Fill in VirtIOBlockReq.out in dataplane code, Fam Zheng, 2014/06/05
- [Qemu-devel] [PATCH v3 9/9] virtio-blk: Fix and clean up the in_sg and out_sg check, Fam Zheng, 2014/06/05
  - Re: [Qemu-devel] [PATCH v3 9/9] virtio-blk: Fix and clean up the in_sg and out_sg check, Stefan Hajnoczi, 2014/06/06
    - Re: [Qemu-devel] [PATCH v3 9/9] virtio-blk: Fix and clean up the in_sg and out_sg check, Paolo Bonzini, 2014/06/06
- Re: [Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Paolo Bonzini, 2014/06/06
- Re: [Qemu-devel] [PATCH v3 0/9] virtio-blk: Converge VirtIOBlockRequest into VirtIOBlockReq, Stefan Hajnoczi, 2014/06/06

Prev by Date: Re: [Qemu-devel] [PATCH v3 0/2] bugfixes of sheepdog driver for a case of live snapshot
Next by Date: Re: [Qemu-devel] [PATCH v3 2/9] virtio-blk: Convert VirtIOBlockReq.elem to pointer
Previous by thread: [Qemu-devel] [PATCH v3 6/9] virtio-blk: Use VirtIOBlockReq.in to drop VirtIOBlockReq.inhdr
Next by thread: [Qemu-devel] [PATCH v3 7/9] virtio-blk: Convert VirtIOBlockReq.out to structrue
Index(es):
- Date
- Thread