virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

upstream-commit-id: afd9096eb1882f23929f5b5c177898ed231bac66
Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>

diff --git a/hw/virtio.c b/hw/virtio.c
index f7f12114ba69bf7471a4418ba845169ff2b8d52a..f583e06b34c714ab2f53585a6a63f47fbf8e966f 100644 (file)
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -449,6 +449,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
 
     max = vq->vring.num;
 
 
     max = vq->vring.num;
 

+    if (vq->inuse >= max) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
+

     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
         vring_avail_event(vq, vring_avail_idx(vq));
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
         vring_avail_event(vq, vring_avail_idx(vq));