On Fri, Mar 17 2023, Carlos López <clo...@suse.de> wrote:
> When a virtqueue size is changed by the guest via
> virtio_queue_set_num(), its region cache is not automatically updated.
> If the size was increased, this could lead to accessing the cache out
> of bounds. For example, in vring_get_used_event():
>
> static inline uint16_t vring_get_used_event(VirtQueue *vq)
> {
> return vring_avail_ring(vq, vq->vring.num);
> }
>
> static inline uint16_t vring_avail_ring(VirtQueue *vq, int i)
> {
> VRingMemoryRegionCaches *caches = vring_get_region_caches(vq);
> hwaddr pa = offsetof(VRingAvail, ring[i]);
>
> if (!caches) {
> return 0;
> }
>
> return virtio_lduw_phys_cached(vq->vdev, &caches->avail, pa);
> }
>
> vq->vring.num will be greater than caches->avail.len, which will
> trigger a failed assertion down the call path of
> virtio_lduw_phys_cached().
>
> Fix this by calling virtio_init_region_cache() after
> virtio_queue_set_num() if we are not already calling
> virtio_queue_set_rings(). In the legacy path this is already done by
> virtio_queue_update_rings().
>
> Signed-off-by: Carlos López <clo...@suse.de>
> ---
> v2: use virtio_init_region_cache() instead of
> virtio_queue_update_rings() in the path for modern devices.
>
> hw/s390x/virtio-ccw.c | 1 +
> hw/virtio/virtio-mmio.c | 1 +
> hw/virtio/virtio-pci.c | 1 +
> hw/virtio/virtio.c | 2 +-
> include/hw/virtio/virtio.h | 1 +
> 5 files changed, 5 insertions(+), 1 deletion(-)
>
Reviewed-by: Cornelia Huck <coh...@redhat.com>
We can always do any ccw reshuffling on top.
