virtio: error out if guest exceeds virtqueue size

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

Reported-by: Zhenhao Hong <zhenhaohong@gmail.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
(cherry picked from commit c4e0d84d3c92923fdbc7fa922638d54e5e834753)

diff --git a/hw/virtio.c b/hw/virtio.c
index c26feffcf6235ef5906434592f994cc9adcf4851..42897bfeee76f12857e4c16eb56c9be81dd810da 100644 (file)
--- a/hw/virtio.c
+++ b/hw/virtio.c
@@ -421,6 +421,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
     /* When we start there are none of either input nor output. */
     elem->out_num = elem->in_num = 0;
 
+    if (vq->inuse >= vq->vring.num) {
+        fprintf(stderr, "Virtqueue size exceeded");
+        exit(1);
+    }
+
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     do {
         struct iovec *sg;