virtio: add check for descriptor's mapped address

virtio back end uses set of buffers to facilitate I/O operations.
If its size is too large, 'cpu_physical_memory_map' could return
a null address. This would result in a null dereference while
un-mapping descriptors. Add check to avoid it.

Reported-by: Qinghao Tang <luodalongde@gmail.com>
Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>

diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c
index fcf3358..bb656b1 100644 (file)
--- a/hw/virtio/virtio.c
+++ b/hw/virtio/virtio.c
@@ -495,6 +495,11 @@ static void virtqueue_map_desc(unsigned int *p_num_sg, hwaddr *addr, struct iove
         }
 
         iov[num_sg].iov_base = cpu_physical_memory_map(pa, &len, is_write);
+        if (!iov[num_sg].iov_base) {
+            error_report("virtio: bogus descriptor or out of resources");
+            exit(1);
+        }
+
         iov[num_sg].iov_len = len;
         addr[num_sg] = pa;