Patchwork [v2,4/4] virtio-serial: Don't copy over guest buffer to host

login
register
mail settings
Submitter Amit Shah
Date Dec. 10, 2010, 3:25 p.m.
Message ID <924b803710eb3c832247fc045e627c17f360da18.1291994656.git.amit.shah@redhat.com>
Download mbox | patch
Permalink /patch/75106/
State New
Headers show

Comments

Amit Shah - Dec. 10, 2010, 3:25 p.m.
When the guest writes something to a host, we copied over the entire
buffer first into the host and then processed it.  Do away with that, it
could result in a malicious guest causing a DoS on the host.

Reported-by: Paul Brook <paul@codesourcery.com>
Signed-off-by: Amit Shah <amit.shah@redhat.com>
---
 hw/virtio-serial-bus.c |   16 ++++++++--------
 1 files changed, 8 insertions(+), 8 deletions(-)

Patch

diff --git a/hw/virtio-serial-bus.c b/hw/virtio-serial-bus.c
index ecf0056..a0886a2 100644
--- a/hw/virtio-serial-bus.c
+++ b/hw/virtio-serial-bus.c
@@ -125,16 +125,16 @@  static void do_flush_queued_data(VirtIOSerialPort *port, VirtQueue *vq,
         return;
     }
     while (virtqueue_pop(vq, &elem)) {
-        uint8_t *buf;
-        size_t ret, buf_size;
+        unsigned int i;
 
-        if (!discard) {
-            buf_size = iov_size(elem.out_sg, elem.out_num);
-            buf = qemu_malloc(buf_size);
-            ret = iov_to_buf(elem.out_sg, elem.out_num, buf, 0, buf_size);
+        for (i = 0; !discard && i < elem.out_num; i++) {
+            size_t buf_size;
 
-            port->info->have_data(port, buf, ret);
-            qemu_free(buf);
+            buf_size = elem.out_sg[i].iov_len;
+
+            port->info->have_data(port,
+                                  elem.out_sg[i].iov_base,
+                                  buf_size);
         }
         virtqueue_push(vq, &elem, 0);
     }