On (Fri) Dec 10 2010 [13:59:50], Paul Brook wrote:
> > Check if the guest really sent any items in the out_vq before using
> > them. Similarly, check if there is a buffer to send data in before
> > writing.
>
> Can this actually happen? If so why/how?
> Why does it need a special case in this device?
A malicious guest (ie, a guest with the virtio_console module suitably
modified) could send in buffers with the 'input' bit set instead of
output as expected or vice-versa.
> If this is guest triggerable then calling abort() is wrong.
It's either a guest bug or a malicious guest. What action is
recommended?
Amit
