On Wed, 14 Jan 2026 at 16:35, Maxime Coquelin <[email protected]> wrote: > > The virtio_net_ctrl_pop() function traverses descriptor chains from > guest-controlled memory without validating that the descriptor index > stays within bounds and without a counter to prevent infinite loops > from circular chains. > > A malicious guest could craft descriptors with a next field pointing > out of bounds causing memory corruption, or create circular descriptor > chains causing an infinite loop and denial of service. > > Add bounds checking and a loop counter to both descriptor chain > traversal loops, similar to the existing protection in virtio_net.c > fill_vec_buf_split(). > > Fixes: 474f4d7840ad ("vhost: add control virtqueue") > Cc: [email protected] > > Signed-off-by: Maxime Coquelin <[email protected]>
Thanks for the update. Reviewed-by: David Marchand <[email protected]> -- David Marchand
