+-- On Fri, 11 Dec 2020, Paolo Bonzini wrote --+ | This is not the root cause. These are the last steps before bad things | happen; the root cause is what _led_ to those last steps. In this case, the | root cause is that a read request with s->lba == -1 is mistaken for a | non-read. Read requests are able to reset s->io_buffer_index and start with | the index pointing just after the end of the sector buffer; non-read | requests instead visit the buffer just once and start with | s->io_buffer_index == 0. | | In turn, the fix is to validate: | | 1) that s->lba is in range when issuing a read request | | 2) that the size of the device is sane (e.g. the number of blocks is a | positive 32-bit integer).
Yes, working on a revised patch... Thank you. -- Prasad J Pandit / Red Hat Product Security Team 8685 545E B54C 486B C6EB 271E E285 8B5A F050 DE8D
