Skip to content

virtio: validate descriptor index from avail ring #2780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
benhillis wants to merge 2 commits into
base: main
Choose a base branch
from
Open

virtio: validate descriptor index from avail ring #2780

benhillis wants to merge 2 commits into from

Conversation

@benhillis
Copy link
Member

@benhillis benhillis commented Feb 10, 2026

The descriptor index read from the guest's available ring was used directly without checking it against queue_size. A malicious or buggy guest could supply an out-of-range index. Add an explicit bounds check with a clear error message.

Copilot AI review requested due to automatic review settings February 10, 2026 16:23
@benhillis benhillis requested a review from a team as a code owner February 10, 2026 16:23
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the virtio queue implementation against malicious or buggy guests by validating that descriptor indices read from the guest-provided avail ring are within the configured queue size, returning a specific error on violation.

Changes:

  • Add a new QueueError::InvalidDescriptorIndex(u16) error variant for invalid avail-ring descriptor indices.
  • Validate the descriptor index read from the avail ring against queue_size before using it.

@benhillis benhillis force-pushed the fix/virtio-descriptor-index-validation branch from 88b7723 to 4ca3965 Compare February 10, 2026 17:05
@benhillis benhillis mentioned this pull request Feb 10, 2026
Closed
OpenVMM Team added 2 commits February 10, 2026 19:55
virtio: validate descriptor index from avail ring
af3f000 
The descriptor index read from the guest's available ring was used
directly without checking it against queue_size. A malicious or buggy
guest could supply an out-of-range index. Add an explicit bounds check
with a clear error message.
virtio: reject queue_size of zero
0c6fd95 
A queue_size of 0 causes division-by-zero panics in
get_available_descriptor_index and set_used_descriptor, which both
compute modulo queue_size. Reject it early in QueueCore::new.
@benhillis benhillis force-pushed the fix/virtio-descriptor-index-validation branch from 4ca3965 to 0c6fd95 Compare February 10, 2026 19:58
@benhillis benhillis requested a review from Copilot February 10, 2026 19:59
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

vm/devices/virtio/virtio/src/queue.rs
Comment on lines +44 to +45
#[error("descriptor index {0} is out of range")]
InvalidDescriptorIndex(u16),
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The InvalidDescriptorIndex error message doesn’t include the queue size / valid range, which makes debugging guest issues harder. Consider including queue_size in the variant (e.g., store both the index and queue_size) and mention the valid range in the error text.

Copilot uses AI. Check for mistakes.
vm/devices/virtio/virtio/src/queue.rs
mem: GuestMemory,
params: QueueParams,
) -> Result<Self, QueueError> {
if params.size == 0 {
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This new params.size == 0 check is redundant with QueueCoreGetWork::new’s is_power_of_two() validation (which already rejects 0), and it only checks for 0 (not other invalid sizes). To avoid inconsistent validation if SplitQueueGetWork::new is ever called directly, either remove this check (rely on the outer validation) or validate the full invariant here (non-zero power-of-two).

Suggested change
if params.size == 0 {
if !params.size.is_power_of_two() {

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benhillis