diff options
author | Jorge E. Moreira <jemoreira@google.com> | 2019-07-31 16:23:03 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2019-08-07 00:37:05 +0000 |
commit | 28ea102c0ef601340787cc86d3dc60bed382a763 (patch) | |
tree | 4dce4e55426e7b00b2aa892900728cabfa67da98 | |
parent | 267f2c80d1144e2eb7da1aca51c9c75eac186c77 (diff) | |
download | crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar.gz crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar.bz2 crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar.lz crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar.xz crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.tar.zst crosvm-28ea102c0ef601340787cc86d3dc60bed382a763.zip |
devices: fix virtio-queue range check
The check for validity of a DescriptorChain needs to ensure that self.len bytes starting from self.addr are valid valid guest memory addresses. The last byte of that range (assuming self.len > 0) is self.addr + self.len - 1. BUG=b/138459777 TEST=run cuttlefish locally with 4.19 kernel Change-Id: I2eb6e70e099b3849ac1f6cdd0dfeed092c2a2b02 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1728481 Reviewed-by: Dylan Reid <dgreid@chromium.org> Tested-by: kokoro <noreply+kokoro@google.com> Commit-Queue: Jorge Moreira Broche <jemoreira@google.com> Auto-Submit: Jorge Moreira Broche <jemoreira@google.com>
-rw-r--r-- | devices/src/virtio/queue.rs | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/devices/src/virtio/queue.rs b/devices/src/virtio/queue.rs index dbec3b1..ea894a2 100644 --- a/devices/src/virtio/queue.rs +++ b/devices/src/virtio/queue.rs @@ -113,10 +113,11 @@ impl<'a> DescriptorChain<'a> { #[allow(clippy::if_same_then_else)] fn is_valid(&self) -> bool { - if self - .mem - .checked_offset(self.addr, self.len as u64) - .is_none() + if self.len > 0 + && self + .mem + .checked_offset(self.addr, self.len as u64 - 1u64) + .is_none() { false } else if self.has_next() && self.next >= self.queue_size { |