aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCornelia Huck <cornelia.huck@de.ibm.com>2015-03-20 13:08:36 +0100
committerCornelia Huck <cornelia.huck@de.ibm.com>2015-03-30 09:25:17 +0200
commit590fe5722b522e492a9c78adadae4def35b137dd (patch)
treec82b2449005a9f38b8ccf410c9ed7094acc9355e
parent627f91b1f80fecc73d00727181a9ddb6162cc30e (diff)
downloadqemu-arm-590fe5722b522e492a9c78adadae4def35b137dd.tar.gz
virtio-ccw: fix range check for SET_VQ
VIRTIO_PCI_QUEUE_MAX is already too big; a malicious guest would be able to trigger a write beyond the VirtQueue structure. Cc: qemu-stable@nongnu.org Reviewed-by: David Hildenbrand <dahi@linux.vnet.ibm.com> Acked-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
-rw-r--r--hw/s390x/virtio-ccw.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/hw/s390x/virtio-ccw.c b/hw/s390x/virtio-ccw.c
index 130535cdc3..ceb6a45703 100644
--- a/hw/s390x/virtio-ccw.c
+++ b/hw/s390x/virtio-ccw.c
@@ -266,7 +266,7 @@ static int virtio_ccw_set_vqs(SubchDev *sch, uint64_t addr, uint32_t align,
{
VirtIODevice *vdev = virtio_ccw_get_vdev(sch);
- if (index > VIRTIO_PCI_QUEUE_MAX) {
+ if (index >= VIRTIO_PCI_QUEUE_MAX) {
return -EINVAL;
}