| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Jun 2021 17:41:33 -0700
From: Andi Kleen <ak@...ux.intel.com>
To: mst@...hat.com
Cc: jasowang@...hat.com, virtualization@...ts.linux-foundation.org,
hch@....de, m.szyprowski@...sung.com, robin.murphy@....com,
iommu@...ts.linux-foundation.org, x86@...nel.org,
sathyanarayanan.kuppuswamy@...ux.intel.com, jpoimboe@...hat.com,
linux-kernel@...r.kernel.org, Andi Kleen <ak@...ux.intel.com>
Subject: [PATCH v1 8/8] virtio: Error out on endless free lists
Error out with a warning when the free list loops longer
than the maximum size while freeing descriptors. While technically
we don't care about DOS it is still better to abort it early.
We ran into this problem while fuzzing the virtio interactions
where the fuzzed code would get stuck for a long time.
Signed-off-by: Andi Kleen <ak@...ux.intel.com>
---
drivers/virtio/virtio_ring.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 244a5b62d85c..96adaa4c5404 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -685,6 +685,11 @@ static int detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
if (!inside_split_ring(vq, i))
return -EIO;
vq->vq.num_free++;
+ if (WARN_ONCE(vq->vq.num_free >
+ vq->split.queue_size_in_bytes /
+ sizeof(struct vring_desc),
+ "Virtio freelist corrupted"))
+ return -EIO;
}
vring_unmap_one_split(vq, &vq->split.vring.desc[i]);
--
2.25.4
Powered by blists - more mailing lists