| Message ID | 20110615142533.26726.54603.stgit@localhost6.localdomain6 (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote: > Qemu should abort when 'queue_size' is less than or equals to zero. > > Signed-off-by: Amos Kong <akong@redhat.com> BTW, these patches apply upstream so should be sent to qemu-devel. > --- > hw/virtio.c | 3 ++- > 1 files changed, 2 insertions(+), 1 deletions(-) > > diff --git a/hw/virtio.c b/hw/virtio.c > index a3d0eee..855fe54 100644 > --- a/hw/virtio.c > +++ b/hw/virtio.c > @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, > break; > } > > - if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE) > + if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE || > + queue_size <= 0) > abort(); > > vdev->vq[i].vring.num = queue_size; These checks are just a debugging aid - there's no way for the guest or user to trigger this. I guess it does no harm, but what are we guarding against? Why would anyone pass in a negative value?
On Wed, Jun 15, 2011 at 11:36:02PM +0300, Michael S. Tsirkin wrote: > On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote: > > Qemu should abort when 'queue_size' is less than or equals to zero. > > > > Signed-off-by: Amos Kong <akong@redhat.com> > > BTW, these patches apply upstream so should be sent to qemu-devel. > > > --- > > hw/virtio.c | 3 ++- > > 1 files changed, 2 insertions(+), 1 deletions(-) > > > > diff --git a/hw/virtio.c b/hw/virtio.c > > index a3d0eee..855fe54 100644 > > --- a/hw/virtio.c > > +++ b/hw/virtio.c > > @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, > > break; > > } > > > > - if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE) > > + if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE || > > + queue_size <= 0) > > abort(); > > > > vdev->vq[i].vring.num = queue_size; > > These checks are just a debugging aid - there's no way > for the guest or user to trigger this. > I guess it does no harm, but what are we guarding against? > Why would anyone pass in a negative value? It seems all exist usage of this function are all right, guest/user could not trigger this right now. So we don't need to fix this kind of problem? -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 06/15/2011 05:53 PM, Amos Kong wrote: > On Wed, Jun 15, 2011 at 11:36:02PM +0300, Michael S. Tsirkin wrote: >> On Wed, Jun 15, 2011 at 10:25:33PM +0800, Amos Kong wrote: >>> Qemu should abort when 'queue_size' is less than or equals to zero. >>> >>> Signed-off-by: Amos Kong<akong@redhat.com> >> >> BTW, these patches apply upstream so should be sent to qemu-devel. >> >>> --- >>> hw/virtio.c | 3 ++- >>> 1 files changed, 2 insertions(+), 1 deletions(-) >>> >>> diff --git a/hw/virtio.c b/hw/virtio.c >>> index a3d0eee..855fe54 100644 >>> --- a/hw/virtio.c >>> +++ b/hw/virtio.c >>> @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, >>> break; >>> } >>> >>> - if (i == VIRTIO_PCI_QUEUE_MAX || queue_size> VIRTQUEUE_MAX_SIZE) >>> + if (i == VIRTIO_PCI_QUEUE_MAX || queue_size> VIRTQUEUE_MAX_SIZE || >>> + queue_size<= 0) >>> abort(); >>> >>> vdev->vq[i].vring.num = queue_size; >> >> These checks are just a debugging aid - there's no way >> for the guest or user to trigger this. >> I guess it does no harm, but what are we guarding against? >> Why would anyone pass in a negative value? > > It seems all exist usage of this function are all right, guest/user could not trigger this right now. > So we don't need to fix this kind of problem? If it's not valid for queue_size to be negative, then the type ought to be unsigned. Regards, Anthony Liguori > -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/hw/virtio.c b/hw/virtio.c index a3d0eee..855fe54 100644 --- a/hw/virtio.c +++ b/hw/virtio.c @@ -612,7 +612,8 @@ VirtQueue *virtio_add_queue(VirtIODevice *vdev, int queue_size, break; } - if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE) + if (i == VIRTIO_PCI_QUEUE_MAX || queue_size > VIRTQUEUE_MAX_SIZE || + queue_size <= 0) abort(); vdev->vq[i].vring.num = queue_size;
Qemu should abort when 'queue_size' is less than or equals to zero. Signed-off-by: Amos Kong <akong@redhat.com> --- hw/virtio.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html