devices: fix virtio-queue range check

The check for validity of a DescriptorChain needs to ensure that
self.len bytes starting from self.addr are valid valid guest memory
addresses. The last byte of that range (assuming self.len > 0) is
self.addr + self.len - 1.

BUG=b/138459777
TEST=run cuttlefish locally with 4.19 kernel

Change-Id: I2eb6e70e099b3849ac1f6cdd0dfeed092c2a2b02
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1728481
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Jorge Moreira Broche <jemoreira@google.com>
Auto-Submit: Jorge Moreira Broche <jemoreira@google.com>

1 files changed, 5 insertions, 4 deletions

diff --git a/devices/src/virtio/queue.rs b/devices/src/virtio/queue.rs
index dbec3b1..ea894a2 100644
--- a/devices/src/virtio/queue.rs
+++ b/devices/src/virtio/queue.rs
@@ -113,10 +113,11 @@ impl<'a> DescriptorChain<'a> {
 
     #[allow(clippy::if_same_then_else)]
     fn is_valid(&self) -> bool {
-        if self
-            .mem
-            .checked_offset(self.addr, self.len as u64)
-            .is_none()
+        if self.len > 0
+            && self
+                .mem
+                .checked_offset(self.addr, self.len as u64 - 1u64)
+                .is_none()
         {
             false
         } else if self.has_next() && self.next >= self.queue_size {