aboutsummaryrefslogtreecommitdiff
path: root/disas
diff options
context:
space:
mode:
authorCarlos López <clopez@suse.de>2023-03-02 11:03:59 +0100
committerMichael S. Tsirkin <mst@redhat.com>2023-03-07 19:51:07 -0500
commitbbc1c327d7974261c61566cdb950cc5fa0196b41 (patch)
tree148ae6740de49fe3947ca60bb1547aa9c70a536d /disas
parent90e31232cf8fa7f257263dd431ea954a1ae54bff (diff)
downloadqemu-bbc1c327d7974261c61566cdb950cc5fa0196b41.zip
qemu-bbc1c327d7974261c61566cdb950cc5fa0196b41.tar.gz
qemu-bbc1c327d7974261c61566cdb950cc5fa0196b41.tar.bz2
virtio: fix reachable assertion due to stale value of cached region size
In virtqueue_{split,packed}_get_avail_bytes() descriptors are read in a loop via MemoryRegionCache regions and calls to vring_{split,packed}_desc_read() - these take a region cache and the index of the descriptor to be read. For direct descriptors we use a cache provided by the caller, whose size matches that of the virtqueue vring. We limit the number of descriptors we can read by the size of that vring: max = vq->vring.num; ... MemoryRegionCache *desc_cache = &caches->desc; For indirect descriptors, we initialize a new cache and limit the number of descriptors by the size of the intermediate descriptor: len = address_space_cache_init(&indirect_desc_cache, vdev->dma_as, desc.addr, desc.len, false); desc_cache = &indirect_desc_cache; ... max = desc.len / sizeof(VRingDesc); However, the first initialization of `max` is done outside the loop where we process guest descriptors, while the second one is done inside. This means that a sequence of an indirect descriptor followed by a direct one will leave a stale value in `max`. If the second descriptor's `next` field is smaller than the stale value, but greater than the size of the virtqueue ring (and thus the cached region), a failed assertion will be triggered in address_space_read_cached() down the call chain. Fix this by initializing `max` inside the loop in both functions. Fixes: 9796d0ac8fb0 ("virtio: use address_space_map/unmap to access descriptors") Signed-off-by: Carlos López <clopez@suse.de> Message-Id: <20230302100358.3613-1-clopez@suse.de> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Diffstat (limited to 'disas')
0 files changed, 0 insertions, 0 deletions