virtio: add check for descriptor's mapped address

virtio back end uses set of buffers to facilitate I/O operations. If its size is too large, 'cpu_physical_memory_map' could return a null address. This would result in a null dereference while un-mapping descriptors. Add check to avoid it. Reported-by: Qinghao Tang <luodalongde@gmail.com> Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Reviewed-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reviewed-by: Laszlo Ersek <lersek@redhat.com>
author: Prasad J Pandit <pjp@fedoraproject.org> 2016-09-19 23:55:45 +0530
committer: Michael S. Tsirkin <mst@redhat.com> 2016-09-23 18:51:40 +0300
commit: 973e7170dddefb491a48df5cba33b2ae151013a0 (patch)
tree: e442e4cf4fb0110660249c5638f9ad960a31787a
parent: 9294d76c15e5d0cabc626bc4d95f95f896abc8d0 (diff)
download: qemu-973e7170dddefb491a48df5cba33b2ae151013a0.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index fcf3358d6c..bb656b1ccf 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -495,6 +495,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
         }
 
         iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+        if (!iov[num_sg].iov_base) {
+            error_report("virtio: bogus descriptor or out of resources");
+            exit(1);
+        }
+
         iov[num_sg].iov_len = len;
         addr[num_sg] = pa;
author	Prasad J Pandit <pjp@fedoraproject.org>	2016-09-19 23:55:45 +0530
committer	Michael S. Tsirkin <mst@redhat.com>	2016-09-23 18:51:40 +0300
commit	973e7170dddefb491a48df5cba33b2ae151013a0 (patch)
tree	e442e4cf4fb0110660249c5638f9ad960a31787a
parent	9294d76c15e5d0cabc626bc4d95f95f896abc8d0 (diff)
download	qemu-973e7170dddefb491a48df5cba33b2ae151013a0.zip