| Message ID | 1363870317-19582-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c index 3c4dcc3d9..f2e8236 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c @@ -235,7 +235,8 @@ static void handle_tx(struct vhost_net *net) msg.msg_controllen = 0; ubufs = NULL; } else { - struct ubuf_info *ubuf = &vq->ubuf_info[head]; + struct ubuf_info *ubuf; + ubuf = vq->ubuf_info + vq->upend_idx; vq->heads[vq->upend_idx].len = len; ubuf->callback = vhost_zerocopy_callback;
This is a note to let you know that I have just added a patch titled vhost/net: fix heads usage of ubuf_info to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From 103a1dfc6f64fa5929d9e0980334ecfbd3a4cf40 Mon Sep 17 00:00:00 2001 From: "Michael S. Tsirkin" <mst@redhat.com> Date: Sun, 17 Mar 2013 02:46:09 +0000 Subject: [PATCH] vhost/net: fix heads usage of ubuf_info commit 46aa92d1ba162b4b3d6b7102440e459d4e4ee255 upstream. ubuf info allocator uses guest controlled head as an index, so a malicious guest could put the same head entry in the ring twice, and we will get two callbacks on the same value. To fix use upend_idx which is guaranteed to be unique. Reported-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Luis Henriques <luis.henriques@canonical.com> --- drivers/vhost/net.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 1.8.1.2