[src/trunk]: src/sys/dev/pci virtio(4): Fix sizing of virtqueue allocation.

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/b94a91533962
branches:  trunk
changeset: 374052:b94a91533962
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Wed Mar 29 09:44:25 2023 +0000

description:
virtio(4): Fix sizing of virtqueue allocation.

vq->vq_avail[0].ring is a zero-length array, and thus sizeof is zero;
likewise vq->vq_used[0].ring.

Use vq->vq_avail[0].ring[0] and vq->vq_used[0].ring[0] to fix this
and restore the previous allocation sizing logic.

XXX We shouldn't use zero-length arrays here -- they are asking for
trouble like this, and C99 has a standard way to express what we're
actually trying to get at it, flexible array members.

PR kern/57304

Reported-by: syzbot+7fb1047f5dfa33b26331%syzkaller.appspotmail.com@localhost

diffstat:

 sys/dev/pci/virtio.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (30 lines):

diff -r 729926ce4d4d -r b94a91533962 sys/dev/pci/virtio.c
--- a/sys/dev/pci/virtio.c      Tue Mar 28 20:10:01 2023 +0000
+++ b/sys/dev/pci/virtio.c      Wed Mar 29 09:44:25 2023 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: virtio.c,v 1.71 2023/03/27 14:56:40 nakayama Exp $     */
+/*     $NetBSD: virtio.c,v 1.72 2023/03/29 09:44:25 riastradh Exp $    */
 
 /*
  * Copyright (c) 2020 The NetBSD Foundation, Inc.
@@ -28,7 +28,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.71 2023/03/27 14:56:40 nakayama Exp $");
+__KERNEL_RCSID(0, "$NetBSD: virtio.c,v 1.72 2023/03/29 09:44:25 riastradh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -784,9 +784,9 @@ virtio_alloc_vq(struct virtio_softc *sc,
 
        size_desc = sizeof(vq->vq_desc[0]) * vq_num;
        size_avail = sizeof(uint16_t) * hdrlen
-           + sizeof(vq->vq_avail[0].ring) * vq_num;
+           + sizeof(vq->vq_avail[0].ring[0]) * vq_num;
        size_used = sizeof(uint16_t) *hdrlen
-           + sizeof(vq->vq_used[0].ring) * vq_num;
+           + sizeof(vq->vq_used[0].ring[0]) * vq_num;
        size_indirect = (sc->sc_indirect && maxnsegs >= MINSEG_INDIRECT) ?
            sizeof(struct vring_desc) * maxnsegs * vq_num : 0;