diff options
| author | Yongji Xie <elohimes@gmail.com> | 2018-01-19 00:04:05 +0800 |
|---|---|---|
| committer | Michael S. Tsirkin <mst@redhat.com> | 2018-02-13 18:25:48 +0200 |
| commit | 293084a7196b1d7781b6fe19b24e85eb8b7f4de0 (patch) | |
| tree | 9c3adca62a86fca93bb70d452e9193881e366897 /contrib/libvhost-user/libvhost-user.h | |
| parent | bb102d1da15a97c6750a4f96810cf15713be2bd6 (diff) | |
| download | qemu-293084a7196b1d7781b6fe19b24e85eb8b7f4de0.zip | |
libvhost-user: Support across-memory-boundary access
The sg list/indirect descriptor table may be contigious
in GPA but not in HVA address space. But libvhost-user
wasn't aware of that. This would cause out-of-bounds
access. Even a malicious guest could use it to get
information from the vhost-user backend.
Introduce a plen parameter in vu_gpa_to_va() so we can
handle this case, returning the actual mapped length.
Signed-off-by: Yongji Xie <xieyongji@baidu.com>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Diffstat (limited to 'contrib/libvhost-user/libvhost-user.h')
| -rw-r--r-- | contrib/libvhost-user/libvhost-user.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/contrib/libvhost-user/libvhost-user.h b/contrib/libvhost-user/libvhost-user.h index f8a730b725..18f95f65d7 100644 --- a/contrib/libvhost-user/libvhost-user.h +++ b/contrib/libvhost-user/libvhost-user.h @@ -327,11 +327,12 @@ bool vu_dispatch(VuDev *dev); /** * vu_gpa_to_va: * @dev: a VuDev context + * @plen: guest memory size * @guest_addr: guest address * * Translate a guest address to a pointer. Returns NULL on failure. */ -void *vu_gpa_to_va(VuDev *dev, uint64_t guest_addr); +void *vu_gpa_to_va(VuDev *dev, uint64_t *plen, uint64_t guest_addr); /** * vu_get_queue: |