feat: validate driver set queue size

ShadowCurse · ShadowCurse · commit d15ded14a0a2 · 2025-06-13T15:48:16.000+01:00
Add a validation of the queue size set by the guest.

Signed-off-by: Egor Lazarchuk &lt;yegorlz@amazon.co.uk&gt;
diff --git a/src/vmm/src/devices/virtio/balloon/device.rs b/src/vmm/src/devices/virtio/balloon/device.rs
@@ -606,8 +606,7 @@ impl VirtioDevice for Balloon {
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         self.device_state = DeviceState::Activated(mem);
diff --git a/src/vmm/src/devices/virtio/block/vhost_user/device.rs b/src/vmm/src/devices/virtio/block/vhost_user/device.rs
@@ -332,8 +332,7 @@ impl<T: VhostUserHandleBackend + Send + 'static> VirtioDevice for VhostUserBlock
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         let start_time = get_time_us(ClockType::Monotonic);
diff --git a/src/vmm/src/devices/virtio/block/virtio/device.rs b/src/vmm/src/devices/virtio/block/virtio/device.rs
@@ -628,8 +628,7 @@ impl VirtioDevice for VirtioBlock {
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         let event_idx = self.has_feature(u64::from(VIRTIO_RING_F_EVENT_IDX));
diff --git a/src/vmm/src/devices/virtio/mod.rs b/src/vmm/src/devices/virtio/mod.rs
@@ -72,8 +72,8 @@ pub enum ActivateError {
     VhostUser(vhost_user::VhostUserError),
     /// Setting tap interface offload flags failed: {0}
     TapSetOffload(TapError),
-    /// Error setting pointers in the queue: (0)
-    QueueMemoryError(QueueError),
+    /// Error initializing the queue: (0)
+    QueueError(QueueError),
 }
 
 /// Trait that helps in upcasting an object to Any
diff --git a/src/vmm/src/devices/virtio/net/device.rs b/src/vmm/src/devices/virtio/net/device.rs
@@ -1000,8 +1000,7 @@ impl VirtioDevice for Net {
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         let event_idx = self.has_feature(u64::from(VIRTIO_RING_F_EVENT_IDX));
diff --git a/src/vmm/src/devices/virtio/queue.rs b/src/vmm/src/devices/virtio/queue.rs
@@ -32,6 +32,8 @@ pub enum QueueError {
     DescIndexOutOfBounds(u16),
     /// Failed to write value into the virtio queue used ring: {0}
     MemoryError(#[from] vm_memory::GuestMemoryError),
+    /// Invalid queue size configured by the driver: max: {0} configured: {1}
+    InvalidQueueSize(u16, u16),
     /// Pointer is not aligned properly: {0:#x} not {1}-byte aligned.
     PointerNotAligned(usize, u8),
 }
@@ -322,9 +324,14 @@ impl Queue {
         Ok(slice.ptr_guard_mut().as_ptr())
     }
 
+    /// Do final checks and setup of the queue before it can be usable.
     /// Set up pointers to the queue objects in the guest memory
     /// and mark memory dirty for those objects
     pub fn initialize<M: GuestMemory>(&mut self, mem: &M) -> Result<(), QueueError> {
+        if self.max_size < self.size {
+            return Err(QueueError::InvalidQueueSize(self.max_size, self.size));
+        }
+
         self.desc_table_ptr = self
             .get_slice_ptr(mem, self.desc_table_address, self.desc_table_size())?
             .cast();
diff --git a/src/vmm/src/devices/virtio/rng/device.rs b/src/vmm/src/devices/virtio/rng/device.rs
@@ -294,8 +294,7 @@ impl VirtioDevice for Entropy {
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         self.activate_event.write(1).map_err(|_| {
diff --git a/src/vmm/src/devices/virtio/vsock/device.rs b/src/vmm/src/devices/virtio/vsock/device.rs
@@ -331,8 +331,7 @@ where
 
     fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {
         for q in self.queues.iter_mut() {
-            q.initialize(&mem)
-                .map_err(ActivateError::QueueMemoryError)?;
+            q.initialize(&mem).map_err(ActivateError::QueueError)?;
         }
 
         if self.queues.len() != defs::VSOCK_NUM_QUEUES {

Original file line number	Diff line number	Diff line change
`@@ -606,8 +606,7 @@ impl VirtioDevice for Balloon {`
`606`	`606`
`607`	`607`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`608`	`608`	`for q in self.queues.iter_mut() {`
`609`		`- q.initialize(&mem)`
`610`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`609`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`611`	`610`	`}`
`612`	`611`
`613`	`612`	`self.device_state = DeviceState::Activated(mem);`
Original file line number	Diff line number	Diff line change
`@@ -332,8 +332,7 @@ impl<T: VhostUserHandleBackend + Send + 'static> VirtioDevice for VhostUserBlock`
`332`	`332`
`333`	`333`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`334`	`334`	`for q in self.queues.iter_mut() {`
`335`		`- q.initialize(&mem)`
`336`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`335`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`337`	`336`	`}`
`338`	`337`
`339`	`338`	`let start_time = get_time_us(ClockType::Monotonic);`
Original file line number	Diff line number	Diff line change
`@@ -628,8 +628,7 @@ impl VirtioDevice for VirtioBlock {`
`628`	`628`
`629`	`629`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`630`	`630`	`for q in self.queues.iter_mut() {`
`631`		`- q.initialize(&mem)`
`632`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`631`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`633`	`632`	`}`
`634`	`633`
`635`	`634`	`let event_idx = self.has_feature(u64::from(VIRTIO_RING_F_EVENT_IDX));`
Original file line number	Diff line number	Diff line change
`@@ -1000,8 +1000,7 @@ impl VirtioDevice for Net {`
`1000`	`1000`
`1001`	`1001`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`1002`	`1002`	`for q in self.queues.iter_mut() {`
`1003`		`- q.initialize(&mem)`
`1004`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`1003`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`1005`	`1004`	`}`
`1006`	`1005`
`1007`	`1006`	`let event_idx = self.has_feature(u64::from(VIRTIO_RING_F_EVENT_IDX));`
Original file line number	Diff line number	Diff line change
`@@ -294,8 +294,7 @@ impl VirtioDevice for Entropy {`
`294`	`294`
`295`	`295`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`296`	`296`	`for q in self.queues.iter_mut() {`
`297`		`- q.initialize(&mem)`
`298`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`297`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`299`	`298`	`}`
`300`	`299`
`301`	`300`	`self.activate_event.write(1).map_err(\|_\| {`
Original file line number	Diff line number	Diff line change
`@@ -331,8 +331,7 @@ where`
`331`	`331`
`332`	`332`	`fn activate(&mut self, mem: GuestMemoryMmap) -> Result<(), ActivateError> {`
`333`	`333`	`for q in self.queues.iter_mut() {`
`334`		`- q.initialize(&mem)`
`335`		`- .map_err(ActivateError::QueueMemoryError)?;`
	`334`	`+ q.initialize(&mem).map_err(ActivateError::QueueError)?;`
`336`	`335`	`}`
`337`	`336`
`338`	`337`	`if self.queues.len() != defs::VSOCK_NUM_QUEUES {`