virtio: guard against negative vq notifies

The virtio_queue_notify() function checks that the virtqueue number is
less than the maximum number of virtqueues.  A signed comparison is used
but the virtqueue number could be negative if a buggy or malicious guest
is run.  This results in memory accesses outside of the virtqueue array.

It is risky doing input validation in common code instead of at the
guest<->host boundary.  Note that virtio_queue_set_addr(),
virtio_queue_get_addr(), virtio_queue_get_num(), and many other virtio
functions do *not* validate the virtqueue number argument.

Instead of fixing the comparison in virtio_queue_notify(), move the
comparison to the virtio bindings (just like VIRTIO_PCI_QUEUE_SEL) where
we have a uint32_t value and can avoid ever calling into common virtio
code if the virtqueue number is invalid.

Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/hw/virtio-pci.c b/hw/virtio-pci.c
index 270e2c743..b86c44162 100644
--- a/hw/virtio-pci.c
+++ b/hw/virtio-pci.c
@@ -348,7 +348,9 @@ static void virtio_ioport_write(void *opaque, uint32_t addr, uint32_t val)
             vdev->queue_sel = val;
         break;
     case VIRTIO_PCI_QUEUE_NOTIFY:
-        virtio_queue_notify(vdev, val);
+        if (val < VIRTIO_PCI_QUEUE_MAX) {
+            virtio_queue_notify(vdev, val);
+        }
         break;
     case VIRTIO_PCI_STATUS:
         if (!(val & VIRTIO_CONFIG_S_DRIVER_OK)) {