> -----Original Message----- > From: Liu, Yong <[email protected]> > Sent: Wednesday, March 31, 2021 2:50 PM > To: [email protected]; Xia, Chenbo <[email protected]> > Cc: [email protected]; Liu, Yong <[email protected]>; [email protected] > Subject: [PATCH 1/3] vhost: fix split ring potential buffer overflow > > In vhost datapath, descriptor's length are mostly used in two coherent > operations. First step is used for address translation, second step is > used for memory transaction from guest to host. But the iterval between > two steps will give a window for malicious guest, in which can change > descriptor length after vhost calcuated buffer size. Thus may lead to > buffer overflow in vhost side. This potential risk can be eliminated by > accessing the descriptor length once. > > Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") > Cc: [email protected] > > Signed-off-by: Marvin Liu <[email protected]> > Reviewed-by: Maxime Coquelin <[email protected]> > -- > 2.17.1
Series applied to next-virtio/main, Thanks!
