On Tue, Jan 15, 2019 at 01:08:47PM +0300, Dima Stepanov wrote: > The virtqueue_pop() and virtqueue_get_avail_bytes() routines can use the > INDIRECT table to get the data. It is possible to create a packet which > will lead to the assert message like: > include/exec/memory.h:1995: void > address_space_read_cached(MemoryRegionCache *, hwaddr, void *, int): > Assertion `addr < cache->len && len <= cache->len - addr' failed. > Aborted > To do it the first descriptor should have a link to the INDIRECT table > and set the size of it to 0. It doesn't look good that the guest should > be able to trigger the assert in qemu. Add additional check for the size > of the INDIRECT table, which should not be 0. > > Signed-off-by: Dima Stepanov <dimas...@yandex-team.ru> > --- > hw/virtio/virtio.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Stefan Hajnoczi <stefa...@redhat.com>
signature.asc
Description: PGP signature
