mirrors/crosvm
1
0
Fork 0
mirror of https://chromium.googlesource.com/crosvm/crosvm synced 2024-11-25 13:23:08 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
crosvm/devices
History
Chirantan Ekbote 232ada7187 virtio: Convert ring index to u64 earlier in Queue::pop 
The `next_avail` field is a Wrapping<u16> but we pull out the underlying
u16 when calculating the descriptor index address offset in Queue::pop
and only convert the result to a u64 after applying all the operations.

This can cause a u16 overflow if the queue size is the max
allowed (2^15).  Instead, convert to a u64 immediately after calculating
the index so that the rest of the operations are carried out as u64s and
will not overflow.

BUG=chromium:1018319
TEST=`cros_fuzz reproduce` and unit tests

Change-Id: I49743e239e2a407498d862c5137930f3f0cdf72a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/1884404
Reviewed-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Daniel Verkamp <dverkamp@chromium.org>
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
2019-10-29 23:37:22 +00:00
..
src virtio: Convert ring index to u64 earlier in Queue::pop 2019-10-29 23:37:22 +00:00
Cargo.toml