hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

[PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

Vulnerability Report posted 1 patch 1 month ago

Download mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com

Maintainers: David Woodhouse <dwmw2@infradead.org>, Paul Durrant <paul@xen.org>, Paolo Bonzini <pbonzini@redhat.com>, Richard Henderson <richard.henderson@linaro.org>, Eduardo Habkost <eduardo@habkost.net>, "Michael S. Tsirkin" <mst@redhat.com>, Marcel Apfelbaum <marcel.apfelbaum@gmail.com>

hw/i386/kvm/xen_evtchn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Expand all Fold all

[PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

Posted by Vulnerability Report 1 month ago

Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().

Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
Fixes: CVE-2026-0665
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Vulnerability Report <vr@darknavy.com>
---
 hw/i386/kvm/xen_evtchn.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/kvm/xen_evtchn.c b/hw/i386/kvm/xen_evtchn.c
index dd566c4967..173e0818c7 100644
--- a/hw/i386/kvm/xen_evtchn.c
+++ b/hw/i386/kvm/xen_evtchn.c
@@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
             return pirq;
         }
         map->pirq = pirq;
-    } else if (pirq > s->nr_pirqs) {
+    } else if (pirq >= s->nr_pirqs) {
         return -EINVAL;
     } else {
         /*
-- 
2.39.5 (Apple Git-154)

Re: [PATCH] hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

Posted by Paolo Bonzini 1 month ago

Queued, thanks.

Paolo