Am 26.03.2015 um 16:35 schrieb Cornelia Huck:
> VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be
> able to trigger a write beyond the VirtQueue structure.
>
> Cc: [email protected]
> Reviewed-by: David Hildenbrand <[email protected]>
> Signed-off-by: Cornelia Huck <[email protected]>
Acked-by: Christian Borntraeger <[email protected]>
> ---
> hw/s390x/virtio-ccw.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
> index 130535c..ceb6a45 100644
> --- a/hw/s390x/virtio-ccw.c
> +++ b/hw/s390x/virtio-ccw.c
> @@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t
> addr, uint32_t align,
> {
> VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
>
> - if (index > VIRTIO_PCI_QUEUE_MAX) {
> + if (index >= VIRTIO_PCI_QUEUE_MAX) {
> return -EINVAL;
> }
>
