diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2016-07-27 17:26:07 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2016-07-27 17:26:07 +0100 |
| commit | 51313fe4f4afea65970a20b32ed2d35b44fbf993 (patch) | |
| tree | 6522845f4ccca960eefece2fe16216dbc8299c23 /hw | |
| parent | df5c50a208296c8303e591296f4e834a3b3fcb3d (diff) | |
| parent | afd9096eb1882f23929f5b5c177898ed231bac66 (diff) | |
| download | focaccia-qemu-51313fe4f4afea65970a20b32ed2d35b44fbf993.tar.gz focaccia-qemu-51313fe4f4afea65970a20b32ed2d35b44fbf993.zip | |
Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request' into staging
# gpg: Signature made Wed 27 Jul 2016 16:13:02 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request: virtio: error out if guest exceeds virtqueue size Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Diffstat (limited to 'hw')
| -rw-r--r-- | hw/virtio/virtio.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index 752b2715d0..28cf504d6a 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -562,6 +562,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz) max = vq->vring.num; + if (vq->inuse >= vq->vring.num) { + error_report("Virtqueue size exceeded"); + exit(1); + } + i = head = virtqueue_get_head(vq, vq->last_avail_idx++); if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) { vring_set_avail_event(vq, vq->last_avail_idx); |