fix(virtio-pci): check guest values for MSI-X vector

bchalios · bchalios · commit 874ffb196f7b · 2025-08-11T13:38:39.000+02:00
We should check that the MSI-X vector that a guest assigns to a VirtIO
queue or configuration is a valid one. If it is a value bigger than the
available vectors allocated for the device, it should not update the
vector field and mark the corresponding vector to the NO_VECTOR value.

Signed-off-by: Babis Chalios &lt;bchalios@amazon.es&gt;
diff --git a/src/vmm/src/devices/virtio/transport/pci/common_config.rs b/src/vmm/src/devices/virtio/transport/pci/common_config.rs
@@ -261,15 +261,16 @@ impl VirtioPciCommonConfig {
             0x16 => self.queue_select = value,
             0x18 => self.with_queue_mut(queues, |q| q.size = value),
             0x1a => {
+                let mut msix_queues = self.msix_queues.lock().expect("Poisoned lock");
+                let nr_vectors = msix_queues.len() + 1;
                 // Make sure that `queue_select` points to a valid queue. If not, we won't do
                 // anything here and subsequent reads at 0x1a will return `NO_VECTOR`.
-                if let Some(msix_queue) = self
-                    .msix_queues
-                    .lock()
-                    .unwrap()
-                    .get_mut(self.queue_select as usize)
-                {
-                    *msix_queue = value;
+                if let Some(queue) = msix_queues.get_mut(self.queue_select as usize) {
+                    if (value as usize) < nr_vectors {
+                        *queue = value;
+                    } else {
+                        *queue = 0xffff;
+                    }
                 }
             }
             0x1c => self.with_queue_mut(queues, |q| {
diff --git a/src/vmm/src/devices/virtio/transport/pci/device.rs b/src/vmm/src/devices/virtio/transport/pci/device.rs
@@ -10,7 +10,7 @@
 use std::cmp;
 use std::collections::HashMap;
 use std::fmt::{Debug, Formatter};
-use std::io::Write;
+use std::io::{ErrorKind, Write};
 use std::sync::atomic::{AtomicBool, AtomicU16, AtomicU32, AtomicUsize, Ordering};
 use std::sync::{Arc, Barrier, Mutex};
 
@@ -764,9 +764,12 @@ impl VirtioInterrupt for VirtioInterruptMsix {
     fn trigger(&self, int_type: VirtioInterruptType) -> std::result::Result<(), std::io::Error> {
         let vector = match int_type {
             VirtioInterruptType::Config => self.config_vector.load(Ordering::Acquire),
-            VirtioInterruptType::Queue(queue_index) => {
-                self.queues_vectors.lock().unwrap()[queue_index as usize]
-            }
+            VirtioInterruptType::Queue(queue_index) => *self
+                .queues_vectors
+                .lock()
+                .unwrap()
+                .get(queue_index as usize)
+                .ok_or(ErrorKind::InvalidInput)?,
         };
 
         if vector == VIRTQ_MSI_NO_VECTOR {
@@ -792,9 +795,11 @@ impl VirtioInterrupt for VirtioInterruptMsix {
     fn notifier(&self, int_type: VirtioInterruptType) -> Option<&EventFd> {
         let vector = match int_type {
             VirtioInterruptType::Config => self.config_vector.load(Ordering::Acquire),
-            VirtioInterruptType::Queue(queue_index) => {
-                self.queues_vectors.lock().unwrap()[queue_index as usize]
-            }
+            VirtioInterruptType::Queue(queue_index) => *self
+                .queues_vectors
+                .lock()
+                .unwrap()
+                .get(queue_index as usize)?,
         };
 
         self.interrupt_source_group
