[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [UNIKRAFT PATCH] driver/virtio: fix virtqueue_vring allocation

Hello Hugo,

Thanks for the fix.

Reviewed-by: Sharan Santhanam <sharan.santhanam@xxxxxxxxx>

Thanks & Regards

Sharan

On 7/14/20 2:04 PM, Hugo Lefeuvre wrote:

virtqueue_create() allocates virtqueue_vring structures dynamically, but
the amount of memory requested to the memory allocator is incorrect:
sizeof(struct virtqueue) instead of sizeof(struct virtqueue_vring).

This bug is probably due to a simple oversight and has gone unnoticed
because of allocator-specific paddings.

This results in out-of-bounds write in virtqueue_buffer_enqueue.

Signed-off-by: Hugo Lefeuvre <hugo.lefeuvre@xxxxxxxxx>
---
  plat/drivers/virtio/virtio_ring.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plat/drivers/virtio/virtio_ring.c 
b/plat/drivers/virtio/virtio_ring.c
index ab9287a..0a5c3f3 100644
--- a/plat/drivers/virtio/virtio_ring.c
+++ b/plat/drivers/virtio/virtio_ring.c
@@ -366,7 +366,7 @@ struct virtqueue *virtqueue_create(__u16 queue_id, __u16 
nr_descs, __u16 align,
UK_ASSERT(a); - vrq = uk_malloc(a, sizeof(struct virtqueue) + 
+       vrq = uk_malloc(a, sizeof(*vrq) +
                        nr_descs * sizeof(struct virtqueue_desc_info));
        if (!vrq) {
                uk_pr_err("Allocation of virtqueue failed\n");

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.