+-- On Tue, 13 Sep 2016, Dmitry Fleytman wrote --+
| > A guest user could set the 'ready_ptr' and 'PVSCSIRingInfo *mgr' parameter
| > in 'pvscsi_ring_pop_req_descr', such that it always returns true.
|
| I see. The problematic code is if (ready_ptr != mgr->consumed_ptr) {…}
|
| mgr->consumed_ptr is managed by device and not visible to the driver,
| but ready_ptr is managed by driver and may be set to some “big” number.
|
| In this case it may take a lot of iterations for consumed_ptr
| to become equal to ready_ptr and additionally some requests will be send
multiple times.
|
| The most straightforward way to fix this issue will be to
| check that ready_ptr - consumed_ptr is less than ring size.
I see.
| I think you’re mixing concepts of number of
| pages in the ring and number of requests in the ring.
|
| Each page contains (much) more than one request.
I see, okay.
Thank you so much for the details. I'll send a revised patch.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
