On 07/27/2016 09:37 AM, P J P wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
> 
> virtio back end uses set of buffers to facilitate I/O operations.
> An infinite loop unfolds in virtqueue_pop() if a buffer was
> of zero size. Add check to avoid it.
> 
> Reported-by: Li Qiang <liqiang...@360.cn>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
>  hw/virtio/virtio.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
> index 30ede3d..8de896c 100644
> --- a/hw/virtio/virtio.c
> +++ b/hw/virtio/virtio.c
> @@ -457,6 +457,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, 
> hwaddr *addr, struct iove
>      unsigned num_sg = *p_num_sg;
>      assert(num_sg <= max_num_sg);
>  
> +    if (!sz) {
> +        error_report("virtio: zero sized buffers are not allowed");
> +        exit(1);
> +    }

This lets the guest forcefully exit qemu.  Isn't it better to just make
the guest error degrade the virtio device into a broken state (the guest
can no longer use it, but qemu doesn't exit)?

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to