From 1eb4ebe3d1d4781e3f836c42c460de710fd324be Mon Sep 17 00:00:00 2001
From: Rob Bradford <robert.bradford@intel.com>
Date: Mon, 29 Mar 2021 15:41:07 +0100
Subject: [PATCH] vm-virtio: queue: Fix descriptor chain validation

DescriptorChain::is_valid() wrongly used .checked_offset() to attempt to
validate that the descriptor's data is in valid memory. This works in
all cases except where the guest has placed the data at the very end of
the guest memory as the offset + offset will be outside the range (as
the combined offset will be the next byte and as such out of the guest
memory). Instead use the function .check_range() takes an offset and a
length to validate

This fixes issues see with error messages featuring the
DescriptorChainTooShort error.

Fixes: #2424

Signed-off-by: Rob Bradford <robert.bradford@intel.com>
---
 vm-virtio/src/queue.rs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/vm-virtio/src/queue.rs b/vm-virtio/src/queue.rs
index c6df76843..353b15bae 100644
--- a/vm-virtio/src/queue.rs
+++ b/vm-virtio/src/queue.rs
@@ -265,10 +265,7 @@ impl<'a> DescriptorChain<'a> {
     }
 
     fn is_valid(&self) -> bool {
-        !(self
-            .mem
-            .checked_offset(self.addr, self.len as usize)
-            .is_none()
+        !(!self.mem.check_range(self.addr, self.len as usize)
             || (self.has_next() && self.next >= self.table_size))
     }