On Sun, May 08, 2011 at 10:29:07PM +0100, Stefan Hajnoczi wrote:
> The virtio_queue_notify() function checks that the virtqueue number is
> less than the maximum number of virtqueues. A signed comparison is used
> but the virtqueue number could be negative if a buggy or malicious guest
> is run.
On Sun, May 8, 2011 at 10:29 PM, Stefan Hajnoczi
wrote:
> The virtio_queue_notify() function checks that the virtqueue number is
> less than the maximum number of virtqueues. A signed comparison is used
> but the virtqueue number could be negative if a buggy or malicious guest
> is run. This res
The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues. A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run. This results in memory accesses outside of the virtqueue array.
It is ri
