virtio: validate indirect descriptor table size#2783
Open
benhillis wants to merge 2 commits intomicrosoft:mainfrom
Open
virtio: validate indirect descriptor table size#2783benhillis wants to merge 2 commits intomicrosoft:mainfrom
benhillis wants to merge 2 commits intomicrosoft:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens virtio queue parsing by validating the guest-provided indirect descriptor table length before creating a subrange and iterating descriptors, preventing misaligned lengths from causing reads into adjacent memory.
Changes:
- Add a new
QueueError::InvalidIndirectSize(u32)error for invalid indirect descriptor table lengths. - Validate that indirect descriptor table length is non-zero and a multiple of
spec::Descriptorsize before mapping/reading it.
Comments suppressed due to low confidence (1)
vm/devices/virtio/virtio/src/queue.rs:286
descriptor.length.get()is read intoindirect_len, but the subsequentsubrange()call re-readsdescriptor.length.get()instead of using the validated local value. Reuseindirect_lenfor the subrange length to keep the logic consistent and avoid future edits accidentally bypassing the validation.
let indirect_len = descriptor.length.get();
if indirect_len == 0 || indirect_len as usize % size_of::<spec::Descriptor>() != 0 {
return Err(QueueError::InvalidIndirectSize(indirect_len));
}
// TODO: should we really create a subrange for this, or is it
// rare enough for the HCS case that we can just read it
// directly?
let indirect_queue = self.indirect_queue.insert(
self.queue
.mem
.subrange(
descriptor.address.get(),
descriptor.length.get() as u64,
true,
benhillis
force-pushed
the
fix/virtio-indirect-desc-size
branch
from
f834675 to
679d69c
Compare
|
This PR modifies files containing For more on why we check whole files, instead of just diffs, check out the Rustonomicon |
added 2 commits
February 10, 2026 20:10
The indirect descriptor table length from the guest was not validated to be a non-zero multiple of the descriptor size (16 bytes). A misaligned length could cause the last partial descriptor to be read from adjacent memory. Add an explicit check.
benhillis
force-pushed
the
fix/virtio-indirect-desc-size
branch
from
2c10193 to
c3d8b97
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The indirect descriptor table length from the guest was not validated to be a non-zero multiple of the descriptor size (16 bytes). A misaligned length could cause the last partial descriptor to be read from adjacent memory. Add an explicit check.