Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • L linux-dm
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • linux-arm
  • linux-dm
  • Repository
  • linux-dm
  • drivers
  • vhost
  • vhost.c
Find file BlameHistoryPermalink
  • yongduan's avatar
    vhost: make sure log_num < in_num · 060423bf
    yongduan authored Sep 11, 2019
    The code assumes log_num < in_num everywhere, and that is true as long as
    in_num is incremented by descriptor iov count, and log_num by 1. However
    this breaks if there's a zero sized descriptor.
    
    As a result, if a malicious guest creates a vring desc with desc.len = 0,
    it may cause the host kernel to crash by overflowing the log array. This
    bug can be triggered during the VM migration.
    
    There's no need to log when desc.len = 0, so just don't increment log_num
    in this case.
    
    Fixes: 3a4d5c94
    
     ("vhost_net: a kernel-level virtio server")
    Cc: stable@vger.kernel.org
    Reviewed-by: default avatarLidong Chen <lidongchen@tencent.com>
    Signed-off-by: default avatarruippan <ruippan@tencent.com>
    Signed-off-by: default avataryongduan <yongduan@tencent.com>
    Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    Reviewed-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    060423bf