The sg list/indirect descriptor table may be contigious
in GPA but not in HVA address space. But libvhost-user
wasn't aware of that. This would cause out-of-bounds
access. Even a malicious guest could use it to get
information from the vhost-user backend.
Introduce a plen parameter in vu_gpa_to_va() so we can
handle this case, returning the actual mapped length.
Signed-off-by: Yongji Xie <address@hidden>
---
contrib/libvhost-user/libvhost-user.c | 133 +++++++++++++++++++++++++++++----
contrib/libvhost-user/libvhost-user.h | 3 +-
2 files changed, 122 insertions(+), 14 deletions(-)