On 11.11.20 13:43, Stefan Hajnoczi wrote:
Check that the sector number and byte count are valid.
Signed-off-by: Stefan Hajnoczi <stefa...@redhat.com>
---
block/export/vhost-user-blk-server.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/block/export/vhost-user-blk-server.c
b/block/export/vhost-user-blk-server.c
index d88e41714d..6d7fd0fec3 100644
--- a/block/export/vhost-user-blk-server.c
+++ b/block/export/vhost-user-blk-server.c
@@ -214,9 +214,23 @@ static void coroutine_fn vu_blk_virtio_process_req(void
*opaque)
QEMUIOVector qiov;
if (is_write) {
qemu_iovec_init_external(&qiov, out_iov, out_num);
+
+ if (unlikely(!vu_blk_sect_range_ok(vexp, req->sector_num,
+ qiov.size))) {
+ req->in->status = VIRTIO_BLK_S_IOERR;
+ break;
+ }
+
ret = blk_co_pwritev(blk, offset, qiov.size, &qiov, 0);
} else {
qemu_iovec_init_external(&qiov, in_iov, in_num);
+
+ if (unlikely(!vu_blk_sect_range_ok(vexp, req->sector_num,
+ qiov.size))) {
+ req->in->status = VIRTIO_BLK_S_IOERR;
+ break;
+ }
+
ret = blk_co_preadv(blk, offset, qiov.size, &qiov, 0);
}
if (ret >= 0) {
req->sector_num is not a block layer sector, though (i.e. not a 512-byte
sector); it references sectors of size vexp->blk_size (which I presume
aren’t necessarily 512 bytes in length).
Second, I now understand why vu_blk_sect_range_ok() takes a byte length;
but with an arbitrary length as given here, it must also round that down
when converting that length to block layer sectors. (Or just compare
the byte length against the result of bdrv_getlength().)
Max