On 11.11.20 13:43, Stefan Hajnoczi wrote:
Check that the sector number and byte count are valid.Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com> --- block/export/vhost-user-blk-server.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/block/export/vhost-user-blk-server.c b/block/export/vhost-user-blk-server.c index d88e41714d..6d7fd0fec3 100644 --- a/block/export/vhost-user-blk-server.c +++ b/block/export/vhost-user-blk-server.c @@ -214,9 +214,23 @@ static void coroutine_fn vu_blk_virtio_process_req(void *opaque) QEMUIOVector qiov; if (is_write) { qemu_iovec_init_external(&qiov, out_iov, out_num); + + if (unlikely(!vu_blk_sect_range_ok(vexp, req->sector_num, + qiov.size))) { + req->in->status = VIRTIO_BLK_S_IOERR; + break; + } + ret = blk_co_pwritev(blk, offset, qiov.size, &qiov, 0); } else { qemu_iovec_init_external(&qiov, in_iov, in_num); + + if (unlikely(!vu_blk_sect_range_ok(vexp, req->sector_num, + qiov.size))) { + req->in->status = VIRTIO_BLK_S_IOERR; + break; + } + ret = blk_co_preadv(blk, offset, qiov.size, &qiov, 0); } if (ret >= 0) {
req->sector_num is not a block layer sector, though (i.e. not a 512-byte sector); it references sectors of size vexp->blk_size (which I presume aren’t necessarily 512 bytes in length).
Second, I now understand why vu_blk_sect_range_ok() takes a byte length; but with an arbitrary length as given here, it must also round that down when converting that length to block layer sectors. (Or just compare the byte length against the result of bdrv_getlength().)
Max
