Re: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ

Christian Borntraeger Fri, 27 Mar 2015 02:06:27 -0700

Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
> 
> Cc: qemu-sta...@nongnu.org
> Reviewed-by: David Hildenbrand <d...@linux.vnet.ibm.com>
> Signed-off-by: Cornelia Huck <cornelia.h...@de.ibm.com>
Acked-by: Christian Borntraeger <borntrae...@de.ibm.com>


> ---
>  hw/s390x/virtio-ccw.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t 
> addr, uint32_t align,
>  {
>      VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
> 
> -    if (index > VIRTIO_PCI_QUEUE_MAX) {
> +    if (index >= VIRTIO_PCI_QUEUE_MAX) {
>          return -EINVAL;
>      }
>

Re: [Qemu-devel] [PATCH for-2.3 1/4] virtio-ccw: fix range check for SET_VQ

Reply via email to