On 01/18/2018 05:04 PM, Yongji Xie wrote:
The sg list/indirect descriptor table may be contigious in GPA but not in HVA address space. But libvhost-user wasn't aware of that. This would cause out-of-bounds access. Even a malicious guest could use it to get information from the vhost-user backend. Introduce a plen parameter in vu_gpa_to_va() so we can handle this case, returning the actual mapped length. Signed-off-by: Yongji Xie <xieyon...@baidu.com> --- contrib/libvhost-user/libvhost-user.c | 133 +++++++++++++++++++++++++++++---- contrib/libvhost-user/libvhost-user.h | 3 +- 2 files changed, 122 insertions(+), 14 deletions(-)
Reviewed-by: Maxime Coquelin <maxime.coque...@redhat.com> Thanks, Maxime