Module Name: src
Committed By: riastradh
Date: Wed Mar 29 09:44:26 UTC 2023
Modified Files:
src/sys/dev/pci: virtio.c
Log Message:
virtio(4): Fix sizing of virtqueue allocation.
vq->vq_avail[0].ring is a zero-length array, and thus sizeof is zero;
likewise vq->vq_used[0].ring.
Use vq->vq_avail[0].ring[0] and vq->vq_used[0].ring[0] to fix this
and restore the previous allocation sizing logic.
XXX We shouldn't use zero-length arrays here -- they are asking for
trouble like this, and C99 has a standard way to express what we're
actually trying to get at it, flexible array members.
PR kern/57304
Reported-by: syzbot+7fb1047f5dfa33b26...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.72 src/sys/dev/pci/virtio.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/dev/pci/virtio.c
diff -u src/sys/dev/pci/virtio.c:1.71 src/sys/dev/pci/virtio.c:1.72
--- src/sys/dev/pci/virtio.c:1.71 Mon Mar 27 14:56:40 2023
+++ src/sys/dev/pci/virtio.c Wed Mar 29 09:44:25 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: virtio.c,v 1.71 2023/03/27 14:56:40 nakayama Exp $ */
+/* $NetBSD: virtio.c,v 1.72 2023/03/29 09:44:25 riastradh Exp $ */
/*
* Copyright (c) 2020 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.71 2023/03/27 14:56:40 nakayama Exp $");
+__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.72 2023/03/29 09:44:25 riastradh Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -784,9 +784,9 @@ virtio_alloc_vq(struct virtio_softc *sc,
size_desc = sizeof(vq->vq_desc[0]) * vq_num;
size_avail = sizeof(uint16_t) * hdrlen
- + sizeof(vq->vq_avail[0].ring) * vq_num;
+ + sizeof(vq->vq_avail[0].ring[0]) * vq_num;
size_used = sizeof(uint16_t) *hdrlen
- + sizeof(vq->vq_used[0].ring) * vq_num;
+ + sizeof(vq->vq_used[0].ring[0]) * vq_num;
size_indirect = (sc->sc_indirect && maxnsegs >= MINSEG_INDIRECT) ?
sizeof(struct vring_desc) * maxnsegs * vq_num : 0;
