[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range
|
From: |
Christian Borntraeger |
|
Subject: |
Re: [Qemu-stable] [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ |
|
Date: |
Fri, 27 Mar 2015 10:04:58 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 |
Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
>
> Cc: address@hidden
> Reviewed-by: David Hildenbrand <address@hidden>
> Signed-off-by: Cornelia Huck <address@hidden>
Acked-by: Christian Borntraeger <address@hidden>
> ---
> hw/s390x/virtio-ccw.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t
> addr, uint32_t align,
> {
> VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
>
> - if (index > VIRTIO_PCI_QUEUE_MAX) {
> + if (index >= VIRTIO_PCI_QUEUE_MAX) {
> return -EINVAL;
> }
>