-
由 yongduan 提交于
commit 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 upstream. The code assumes log_num < in_num everywhere, and that is true as long as in_num is incremented by descriptor iov count, and log_num by 1. However this breaks if there's a zero sized descriptor. As a result, if a malicious guest creates a vring desc with desc.len = 0, it may cause the host kernel to crash by overflowing the log array. This bug can be triggered during the VM migration. There's no need to log when desc.len = 0, so just don't increment log_num in this case. Fixes: 3a4d5c94 ("vhost_net: a kernel-level virtio server") Cc: stable@vger.kernel.org Reviewed-by: NLidong Chen <lidongchen@tencent.com> Signed-off-by: Nruippan <ruippan@tencent.com> Signed-off-by: Nyongduan <yongduan@tencent.com> Acked-by: NMichael S. Tsirkin <mst@redhat.com> Reviewed-by: NTyler Hicks <tyhicks@canonical.com> Signed-off-by: NMichael S. Tsirkin <mst@redhat.com> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
ba03ee62