pci_vtblk_proc handling of incoming virtio descriptiors and the VBH_OP_DISCORD operation has a likely typo that allows for a guest to perform an out of bound memory read.

The problem is the following assert statement:

/* We currently limit the discard to one segment in the initial negotiation
	so expect exactly one correctly-sized payload descriptor. */
assert(iov[1].iov_len = sizeof(struct virtio_blk_discard_write_zeroes));

The comment above the assert indicates that the assert is there to ensure a correct payload descriptor, however the assert itself does not check equality but rather performs an assignment to iov[1].iov_len. Leading to a mismatched, and potentially too long iov_len value being used.