Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Ensure the entire queue is contained in memory
The previous is_valid check only checked whether the last byte of avail_ring, descriptor_table or used_ring are valid guest physical addresses. However, since guest memory is not neccessarily contiguous (for example, the MMIO gap leaves a hole), this allowed a guest to set up a queue structure that "starts" inside the MMIO gap and ends outside of it. This would pass validations, and then later potentially crash firecracker when a device tried to consume descriptors from it. This happens because while all actual memory reads and writes perform additional bounds checks, some code in queue.rs used .unwrap() under the assumption that all such bounds check would always pass (which they would, if is_valid() were implemented correctly). This would then result in a panic!(). Signed-off-by: Patrick Roy <roypat@amazon.co.uk>
- Loading branch information