openbsd/src
1
0
Fork 0
mirror of https://github.com/openbsd/src.git synced 2026-06-18 07:13:36 +02:00
Code Activity

A privileged guest can make the host-side vioblk backend read a descriptor

Browse Source 
outside the configured virtqueue descriptor table and interpret the out-of-table
entry as a block request descriptor. In the confirmed run, the guest-controlled
out-of-table descriptor made `vmd(8)` read and log a guest-chosen block command
value, and the device entered `DEVICE_NEEDS_RESET`.
from Quarkslab
ok hshoexer, mlarkin
This commit is contained in:
deraadt
2026-05-28 17:09:38 +00:00
parent 25c1c09dc2
commit 7d1f47b8e7
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
usr.sbin/vmd/vioblk.c
+6 -1
View File
@@ -1,4 +1,4 @@
/* $OpenBSD: vioblk.c,v 1.28 2026/04/14 21:41:19 dv Exp $ */
/* $OpenBSD: vioblk.c,v 1.29 2026/05/28 17:09:38 deraadt Exp $ */
/*
* Copyright (c) 2023 Dave Voutila <dv@openbsd.org>
@@ -284,6 +284,11 @@ vioblk_notifyq(struct virtio_dev *dev, uint16_t vq_idx)
while (idx != avail->idx) {
/* Retrieve Command descriptor. */
cmd_desc_idx = avail->ring[idx & vq_info->mask];
if (cmd_desc_idx >= vq_info->qs) {
log_warnx("%s: invalid head descriptor index",
__func__);
goto reset;
}
desc = &table[cmd_desc_idx];
cmd_len = desc->len;