Hi,
I've figured out the actual problem, and I've made a patch that fixes
the issue, not sure if it will apply cleanly as mine is based off the
rhel version but thought I'd share it since it gave me a headache and
many others it seems.
This is what happens
vdev->vq[i].inuse = (uint16_t)(vdev->vq[i].last_avail_idx -
vdev->vq[i].used_idx);
if (vdev->vq[i].inuse > vdev->vq[i].vring.num)
Random example with last_avail_idx 0x1 used_idx 0x2, size 0x80:
1 - 2 = -1 however cast as unsigned it ends up being 65535
so if (65535 > 80) = headache
The patch I made basically checks if it's a negative and sets it to 0 as
well as adding inuse to the error_report. I am sure if the error_report
initially actually showed the true values being compared and not the
source values, it would have been figured out sooner.
** Patch added: "qemu.patch"
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1647389/+attachment/4850942/+files/qemu.patch
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647389
Title:
Regression: Live migrations can still crash after CVE-2016-5403 fix
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1647389/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
