Blob Blame History Raw
From 328d99710a005b9042c4d4c423f3f5a21f0e8ead Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi <>
Date: Mon, 25 Jul 2016 12:55:36 +0200
Subject: [PATCH] virtio: error out if guest exceeds virtqueue size
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

RH-Author: Stefan Hajnoczi <>
Message-id: <>
Patchwork-id: 71428
O-Subject: [virt-devel] [RHEL-7.3 EMBARGOED qemu-kvm PATCH 1/1] virtio: error out if guest exceeds virtqueue size
Bugzilla: 1359728
RH-Acked-by: Thomas Huth <>
RH-Acked-by: Marc-André Lureau <>
RH-Acked-by: Laszlo Ersek <>

A broken or malicious guest can submit more requests than the virtqueue
size permits.

The guest can submit requests without bothering to wait for completion
and is therefore not bound by virtqueue size.  This requires reusing
vring descriptors in more than one request, which is incorrect but
possible.  Processing a request allocates a VirtQueueElement and
therefore causes unbounded memory allocation controlled by the guest.

Exit with an error if the guest provides more requests than the
virtqueue size permits.  This bounds memory allocation and makes the
buggy guest visible to the user.

This patch fixes CVE-2016-5403.

Signed-off-by: Stefan Hajnoczi <>
Signed-off-by: Miroslav Rezanina <>
 hw/virtio/virtio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index 132b5af..a861870 100644
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -452,6 +452,11 @@ int virtqueue_pop(VirtQueue *vq, VirtQueueElement *elem)
     max = vq->vring.num;
+    if (vq->inuse >= max) {
+        error_report("Virtqueue size exceeded");
+        exit(1);
+    }
     i = head = virtqueue_get_head(vq, vq->last_avail_idx++);
     if (vq->vdev->guest_features & (1 << VIRTIO_RING_F_EVENT_IDX)) {
         vring_avail_event(vq, vring_avail_idx(vq));