vhost: reject invalid log base mmap offset

If the log base mmap_offset is larger than mmap_size then it points
outside the mmap region.  We must not write to memory outside the mmap
region, so validate mmap_offset in vhost_user_set_log_base().

Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index baf58dd..1a67e2c 100644 (file)
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1006,6 +1006,15 @@ vhost_user_set_log_base(struct virtio_net *dev, struct VhostUserMsg *msg)
 
        size = msg->payload.log.mmap_size;
        off  = msg->payload.log.mmap_offset;
+
+       /* Don't allow mmap_offset to point outside the mmap region */
+       if (off > size) {
+               RTE_LOG(ERR, VHOST_CONFIG,
+                       "log offset %#"PRIx64" exceeds log size %#"PRIx64"\n",
+                       off, size);
+               return -1;
+       }
+
        RTE_LOG(INFO, VHOST_CONFIG,
                "log mmap size: %"PRId64", offset: %"PRId64"\n",
                size, off);