virtio_ring: secure handling of mapping errors
We should not depend on the DMA address, length and flag of descriptor table since they could be wrote with arbitrary value by the device. So this patch switches to use the stored one in desc_extra. Note that the indirect descriptors are fine since they are read-only streaming mappings. Signed-off-by: Jason Wang <jasowang@redhat.com> Link: https://lore.kernel.org/r/20210604055350.58753-5-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
This commit is contained in:
parent
5a22242160
commit
44593865b7
@ -1219,13 +1219,16 @@ static inline int virtqueue_add_packed(struct virtqueue *_vq,
|
||||
unmap_release:
|
||||
err_idx = i;
|
||||
i = head;
|
||||
curr = vq->free_head;
|
||||
|
||||
vq->packed.avail_used_flags = avail_used_flags;
|
||||
|
||||
for (n = 0; n < total_sg; n++) {
|
||||
if (i == err_idx)
|
||||
break;
|
||||
vring_unmap_desc_packed(vq, &desc[i]);
|
||||
vring_unmap_state_packed(vq,
|
||||
&vq->packed.desc_extra[curr]);
|
||||
curr = vq->packed.desc_extra[curr].next;
|
||||
i++;
|
||||
if (i >= vq->packed.vring.num)
|
||||
i = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user