From nobody Sat May 11 04:43:46 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail(p=none dis=none)  header.from=163.com
ARC-Seal: i=1; a=rsa-sha256; t=1561740809; cv=none;
	d=zoho.com; s=zohoarc;
	b=M4bmRiGBYQ4aSfcYCsE6FgcQStCSiEOje3r8vr1ZK2L8WYASbHwnZMJ5vhKTF9TR/RmRxmXT4ExmdQcKUr6jQgNG7dMDi3HfKmDGAm3xldzNjkcH5p2pSdsfyaYZ4o824SGmm4EyoEIXOjseRlQxoAa0AufsTBk6kmr8iaaV5gk=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com;
 s=zohoarc;
	t=1561740809;
 h=Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To:ARC-Authentication-Results;
	bh=ppWxxeiGIjs9F0GUScK/4xJx3wjQebGdAR/3NeqxmD4=;
	b=Rx5iTxs0R6epev7SQflPnt+HNhEyDjWfuMr/A/HmSSooiV9lucrYT3/lwSdr8b5qMqz81Tdmg3gkVrjYYnohW+HY10IoBf0u4HHkFQRayrBah6v3DgTWQL4riwGzqSEsiS77zwQfkKJcpgtTwHHfb+aXMx0zagl4cT6WmcBMLfI=
ARC-Authentication-Results: i=1; mx.zoho.com;
	dkim=fail;
	spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted
 sender)  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=fail header.from=<liq3ea@163.com> (p=none dis=none)
 header.from=<liq3ea@163.com>
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 1561740809710276.2036946676054;
 Fri, 28 Jun 2019 09:53:29 -0700 (PDT)
Received: from localhost ([::1]:34334 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.86_2)
	(envelope-from <qemu-devel-bounces+importer=patchew.org@nongnu.org>)
	id 1hgu7p-0004DS-Qg
	for importer@patchew.org; Fri, 28 Jun 2019 12:53:25 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:37632)
 by lists.gnu.org with esmtp (Exim 4.86_2)
 (envelope-from <liq3ea@163.com>) id 1hgtWE-0001HI-DM
 for qemu-devel@nongnu.org; Fri, 28 Jun 2019 12:14:36 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <liq3ea@163.com>) id 1hgtWB-0001K7-Ny
 for qemu-devel@nongnu.org; Fri, 28 Jun 2019 12:14:34 -0400
Received: from m12-15.163.com ([220.181.12.15]:46271)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <liq3ea@163.com>) id 1hgtW9-000158-Dm
 for qemu-devel@nongnu.org; Fri, 28 Jun 2019 12:14:31 -0400
Received: from localhost.localdomain (unknown [183.159.71.39])
 by smtp11 (Coremail) with SMTP id D8CowAAXH0_SPBZd9MvBCw--.11256S2;
 Sat, 29 Jun 2019 00:14:12 +0800 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
 s=s110527; h=From:Subject:Date:Message-Id; bh=ppWxxeiGIjs9F0GUSc
 K/4xJx3wjQebGdAR/3NeqxmD4=; b=UXEVDUdx0LHQX9dTlUqcYh12v1Wc9S8u9z
 LbOzsdelj62rbTE9Ud9Q6tAbgcb7otNjmTvbHEgP3KPlvO7hpY+fTfaITFSnbkVa
 9OjznyMk/gC2eqPk1VyjSek4Jh05zwYmIcrJ9G0/ElkpQX9c+PL2Mw/GjkjkwG4Y
 2yuiJ6RQ0=
From: Li Qiang <liq3ea@163.com>
To: mst@redhat.com,
	kraxel@redhat.com
Date: Fri, 28 Jun 2019 09:13:58 -0700
Message-Id: <20190628161358.10400-1-liq3ea@163.com>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: D8CowAAXH0_SPBZd9MvBCw--.11256S2
X-Coremail-Antispam: 1Uf129KBjvdXoWrtrWfuF1UKF17GF4DXw4xJFb_yoW3ArX_t3
 W2kr4kJF43JF1093yUAryfua4fZwsxGF98WFWavF9Yy348X3ZFyryxXFZ7WF129rZFkF4D
 ZayrWr4q9w1SvjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUjh0etUUUUU==
X-Originating-IP: [183.159.71.39]
X-CM-SenderInfo: 5oltjvrd6rljoofrz/1tbiFBjhbVaD1hl18wABsd
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 220.181.12.15
Subject: [Qemu-devel] [PATCH] virtio-gpu: check if the resource already
 exists in virtio_gpu_load()
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liq3ea@163.com>, liq3ea@gmail.com, qemu-devel@nongnu.org
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: "Qemu-devel" <qemu-devel-bounces+importer=patchew.org@nongnu.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"

While loading virtio-gpu, the data can be malicious, we
should check if the resource already exists.

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Marc-Andr=C3=A9 Lureau <marcandre.lureau@redhat.com>
---
 hw/display/virtio-gpu.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c
index 2b0f66b1d6..f1ebed9959 100644
--- a/hw/display/virtio-gpu.c
+++ b/hw/display/virtio-gpu.c
@@ -1002,6 +1002,11 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque=
, size_t size,
=20
     resource_id =3D qemu_get_be32(f);
     while (resource_id !=3D 0) {
+        res =3D virtio_gpu_find_resource(g, resource_id);
+        if (res) {
+            return -EINVAL;
+        }
+
         res =3D g_new0(struct virtio_gpu_simple_resource, 1);
         res->resource_id =3D resource_id;
         res->width =3D qemu_get_be32(f);
--=20
2.17.1