Merge remote-tracking branch...

Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request' into staging # gpg: Signature made Wed 27 Jul 2016 16:13:02 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request: virtio: error out if guest exceeds virtqueue size Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>

Merge remote-tracking branch...
Merge remote-tracking branch 'remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request' into staging # gpg: Signature made Wed 27 Jul 2016 16:13:02 BST # gpg: using RSA key 0x9CA4ABB381AB73C8 # gpg: Good signature from "Stefan Hajnoczi <stefanha@redhat.com>" # gpg: aka "Stefan Hajnoczi <stefanha@gmail.com>" # Primary key fingerprint: 8695 A8BF D3F9 7CDA AC35 775A 9CA4 ABB3 81AB 73C8 * remotes/stefanha/tags/CVE-2016-5403-virtio-unbounded-allocation-pull-request: virtio: error out if guest exceeds virtqueue size Signed-off-by: N Peter Maydell <peter.maydell@linaro.org>
51313fe4 · Peter Maydell · df5c50a2 · afd9096e · 51313fe4
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

hw/virtio/virtio.c hw/virtio/virtio.c +5 -0

未找到文件。
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -562,6 +562,11 @@ void *virtqueue_pop(VirtQueue *vq, size_t sz)

    max = vq->vring.num;

+    if (vq->inuse >= vq->vring.num) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+
    i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
    if (virtio_vdev_has_feature(vdev, VIRTIO_RING_F_EVENT_IDX)) {
        vring_set_avail_event(vq, vq->last_avail_idx);