On Mon, Jul 21, 2025 at 11:02 PM Jonah Palmer <jonah.pal...@oracle.com> wrote:
>
> Commit b44135daa372 introduced virtqueue_ordered_fill for
> VIRTIO_F_IN_ORDER support but had a few issues:
>
> * Conditional while loop used 'steps <= max_steps' but should've been
>   'steps < max_steps' since reaching steps == max_steps would indicate
>   that we didn't find an element, which is an error. Without this
>   change, the code would attempt to read invalid data at an index
>   outside of our search range.
>
> * Incremented 'steps' using the next chain's ndescs instead of the
>   current one.
>
> This patch corrects the loop bounds and synchronizes 'steps' and index
> increments.
>
> We also add a defensive sanity check against malicious or invalid
> descriptor counts to avoid a potential infinite loop and DoS.
>
> Fixes: b44135daa372 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER 
> support")
> Reported-by: terrynini <terrynini38...@gmail.com>
> Signed-off-by: Jonah Palmer <jonah.pal...@oracle.com>
> ---

Acked-by: Jason Wang <jasow...@redhat.com>

Thanks


Reply via email to