"Michael S. Tsirkin" writes:
> On Fri, Apr 26, 2013 at 06:33:33PM +0800, Jason Wang wrote:
>> On 04/26/2013 06:32 PM, Eric Blake wrote:
>> > On 04/25/2013 11:06 PM, Jason Wang wrote:
>> if (addr > (vdev->config_len - sizeof(val)))
>>
>> ^ quiz: spot a bug above if confi
On Fri, Apr 26, 2013 at 06:33:33PM +0800, Jason Wang wrote:
> On 04/26/2013 06:32 PM, Eric Blake wrote:
> > On 04/25/2013 11:06 PM, Jason Wang wrote:
> if (addr > (vdev->config_len - sizeof(val)))
>
> ^ quiz: spot a bug above if config_len is 0:)
> >>> Then we need to
On 04/26/13 12:32, Eric Blake wrote:
> On 04/25/2013 11:06 PM, Jason Wang wrote:
if (addr > (vdev->config_len - sizeof(val)))
^ quiz: spot a bug above if config_len is 0:)
>>> Then we need to fix these bugs and allocate a CVE. virtio-rng has
>>> shipped. This code i
On 04/26/2013 06:32 PM, Eric Blake wrote:
> On 04/25/2013 11:06 PM, Jason Wang wrote:
if (addr > (vdev->config_len - sizeof(val)))
^ quiz: spot a bug above if config_len is 0:)
>>> Then we need to fix these bugs and allocate a CVE. virtio-rng has
>>> shipped. This c
On 04/25/2013 11:06 PM, Jason Wang wrote:
>>> if (addr > (vdev->config_len - sizeof(val)))
>>>
>>> ^ quiz: spot a bug above if config_len is 0:)
>> Then we need to fix these bugs and allocate a CVE. virtio-rng has
>> shipped. This code is also dumb.
>
> Ok, but since the discussi
On 04/26/2013 06:27 AM, Anthony Liguori wrote:
> "Michael S. Tsirkin" writes:
>
>> On Thu, Apr 25, 2013 at 03:20:20PM -0500, Anthony Liguori wrote:
>>> Jason Wang writes:
>>>
In fact we don't support zero length config length for virtio device.
>>> virtio-rng?
>> It has config_len == 0? In
"Michael S. Tsirkin" writes:
> On Thu, Apr 25, 2013 at 03:20:20PM -0500, Anthony Liguori wrote:
>> Jason Wang writes:
>>
>> > In fact we don't support zero length config length for virtio device.
>>
>> virtio-rng?
>
> It has config_len == 0? In that case guest using virtio-rng can crash
> qem
On Thu, Apr 25, 2013 at 03:20:20PM -0500, Anthony Liguori wrote:
> Jason Wang writes:
>
> > In fact we don't support zero length config length for virtio device.
>
> virtio-rng?
It has config_len == 0? In that case guest using virtio-rng can crash
qemu or read qemu memory:
uint32_t virtio_con
Jason Wang writes:
> In fact we don't support zero length config length for virtio device.
virtio-rng?
> And it can lead outbound memory access. So abort on zero config length
> to catch the bug earlier.
Not sure what you mean, but virtio-rng has a zero length config space.
Regards,
Anthony
On Thu, Apr 25, 2013 at 03:43:27PM +0800, Jason Wang wrote:
> In fact we don't support zero length config length for virtio device. And it
> can
> lead outbound memory access. So abort on zero config length to catch the bug
> earlier.
>
> Signed-off-by: Jason Wang
Acked-by: Michael S. Tsirkin
In fact we don't support zero length config length for virtio device. And it can
lead outbound memory access. So abort on zero config length to catch the bug
earlier.
Signed-off-by: Jason Wang
---
hw/virtio/virtio.c |7 ++-
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/h
11 matches
Mail list logo
