Skip to content

Commit

Permalink
virtio-ccw: fix range check for SET_VQ
Browse files Browse the repository at this point in the history 
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
able to trigger a write beyond the VirtQueue structure.

Cc: qemu-stable@nongnu.org
Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com>
Acked-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
  • Loading branch information
@cohuck
cohuck committed Mar 30, 2015
1 parent 627f91b commit 590fe57
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion hw/s390x/virtio-ccw.c
View file
Expand Up @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
{
VirtIODevice *vdev = virtio_ccw_get_vdev(sch);

if (index > VIRTIO_PCI_QUEUE_MAX) {
if (index >= VIRTIO_PCI_QUEUE_MAX) {
return -EINVAL;
}

Expand Down

0 comments on commit 590fe57

Please sign in to comment.