aboutsummaryrefslogtreecommitdiff
path: root/subprojects
diff options
context:
space:
mode:
authorRaphael Norwitz <raphael.norwitz@nutanix.com>2022-01-17 04:12:31 +0000
committerMichael S. Tsirkin <mst@redhat.com>2022-02-04 09:07:43 -0500
commit9f4e63491ba7ae2f7a537bb98a337f4dcd4e1c54 (patch)
treee9f7b8ddf06104b833ef08e1bbd80b5e8bc1caca /subprojects
parent316ee11144e3b8e1bc97a1d0fc6b1caf1963e104 (diff)
downloadqemu-9f4e63491ba7ae2f7a537bb98a337f4dcd4e1c54.zip
qemu-9f4e63491ba7ae2f7a537bb98a337f4dcd4e1c54.tar.gz
qemu-9f4e63491ba7ae2f7a537bb98a337f4dcd4e1c54.tar.bz2
libvhost-user: Add vu_add_mem_reg input validation
Today if multiple FDs are sent from the VMM to the backend in a VHOST_USER_ADD_MEM_REG message, one FD will be mapped and the remaining FDs will be leaked. Therefore if multiple FDs are sent we report an error and fail the operation, closing all FDs in the message. Likewise in case the VMM sends a message with a size less than that of a memory region descriptor, we add a check to gracefully report an error and fail the operation rather than crashing. Signed-off-by: Raphael Norwitz <raphael.norwitz@nutanix.com> Message-Id: <20220117041050.19718-3-raphael.norwitz@nutanix.com> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: David Hildenbrand <david@redhat.com>
Diffstat (limited to 'subprojects')
-rw-r--r--subprojects/libvhost-user/libvhost-user.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c
index b09b1c2..1a8fc9d 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -690,6 +690,21 @@ vu_add_mem_reg(VuDev *dev, VhostUserMsg *vmsg) {
VuDevRegion *dev_region = &dev->regions[dev->nregions];
void *mmap_addr;
+ if (vmsg->fd_num != 1) {
+ vmsg_close_fds(vmsg);
+ vu_panic(dev, "VHOST_USER_ADD_MEM_REG received %d fds - only 1 fd "
+ "should be sent for this message type", vmsg->fd_num);
+ return false;
+ }
+
+ if (vmsg->size < VHOST_USER_MEM_REG_SIZE) {
+ close(vmsg->fds[0]);
+ vu_panic(dev, "VHOST_USER_ADD_MEM_REG requires a message size of at "
+ "least %d bytes and only %d bytes were received",
+ VHOST_USER_MEM_REG_SIZE, vmsg->size);
+ return false;
+ }
+
/*
* If we are in postcopy mode and we receive a u64 payload with a 0 value
* we know all the postcopy client bases have been received, and we