yongduan 060423bfde vhost: make sure log_num < in_num ... The code assumes log_num < in_num everywhere, and that is true as long as in_num is incremented by descriptor iov count, and log_num by 1. However this breaks if there's a zero sized descriptor. As a result, if a malicious guest creates a vring desc with desc.len = 0, it may cause the host kernel to crash by overflowing the log array. This bug can be triggered during the VM migration. There's no need to log when desc.len = 0, so just don't increment log_num in this case. Fixes: 3a4d5c94e9 ("vhost_net: a kernel-level virtio server") Cc: stable@vger.kernel.org Reviewed-by: Lidong Chen <lidongchen@tencent.com> Signed-off-by: ruippan <ruippan@tencent.com> Signed-off-by: yongduan <yongduan@tencent.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>		2019-09-11 15:15:26 -04:00
..
Kconfig	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
Kconfig.vringh	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
Makefile	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
net.c	virtio, vhost: fixes, features, performance	2019-07-17 11:26:09 -07:00
scsi.c	vhost: scsi: add weight support	2019-05-27 11:08:23 -04:00
test.c	vhost/test: fix build for vhost test	2019-09-04 06:21:17 -04:00
test.h	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
vhost.c	vhost: make sure log_num < in_num	2019-09-11 15:15:26 -04:00
vhost.h	Revert "vhost: access vq metadata through kernel virtual address"	2019-09-04 07:39:48 -04:00
vringh.c	treewide: Add SPDX license identifier for more missed files	2019-05-21 10:50:45 +02:00
vsock.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 482	2019-06-19 17:09:52 +02:00