From nobody Sun Sep 28 15:58:49 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1756307163445546.0357480670745; Wed, 27 Aug 2025 08:06:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1urHi2-0004cR-3b; Wed, 27 Aug 2025 11:05:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1urHhj-00040R-AU; Wed, 27 Aug 2025 11:04:53 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1urHhg-0004wj-TG; Wed, 27 Aug 2025 11:04:50 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id A35FC14C53B; Wed, 27 Aug 2025 18:02:57 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 8D63F269843; Wed, 27 Aug 2025 18:03:24 +0300 (MSK) From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Jonah Palmer , terrynini , Si-Wei Liu , Jason Wang , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.0.4 19/59] virtio: fix off-by-one and invalid access in virtqueue_ordered_fill Date: Wed, 27 Aug 2025 18:02:24 +0300 Message-ID: <20250827150323.2694101-19-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZM-MESSAGEID: 1756307173083124100 Content-Type: text/plain; charset="utf-8" From: Jonah Palmer Commit b44135daa372 introduced virtqueue_ordered_fill for VIRTIO_F_IN_ORDER support but had a few issues: * Conditional while loop used 'steps <=3D max_steps' but should've been 'steps < max_steps' since reaching steps =3D=3D max_steps would indicate that we didn't find an element, which is an error. Without this change, the code would attempt to read invalid data at an index outside of our search range. * Incremented 'steps' using the next chain's ndescs instead of the current one. This patch corrects the loop bounds and synchronizes 'steps' and index increments. We also add a defensive sanity check against malicious or invalid descriptor counts to avoid a potential infinite loop and DoS. Fixes: b44135daa372 ("virtio: virtqueue_ordered_fill - VIRTIO_F_IN_ORDER su= pport") Reported-by: terrynini Signed-off-by: Jonah Palmer Message-Id: <20250721150208.2409779-1-jonah.palmer@oracle.com> Reviewed-by: Si-Wei Liu Acked-by: Jason Wang Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin (cherry picked from commit 6fcf5ebafad65adc19a616260ca7dc90005785d1) Signed-off-by: Michael Tokarev diff --git a/hw/virtio/virtio.c b/hw/virtio/virtio.c index ec54573feb..b756f49867 100644 --- a/hw/virtio/virtio.c +++ b/hw/virtio/virtio.c @@ -929,18 +929,18 @@ static void virtqueue_packed_fill(VirtQueue *vq, cons= t VirtQueueElement *elem, static void virtqueue_ordered_fill(VirtQueue *vq, const VirtQueueElement *= elem, unsigned int len) { - unsigned int i, steps, max_steps; + unsigned int i, steps, max_steps, ndescs; =20 i =3D vq->used_idx % vq->vring.num; steps =3D 0; /* - * We shouldn't need to increase 'i' by more than the distance - * between used_idx and last_avail_idx. + * We shouldn't need to increase 'i' by more than or equal to + * the distance between used_idx and last_avail_idx (max_steps). */ max_steps =3D (vq->last_avail_idx - vq->used_idx) % vq->vring.num; =20 /* Search for element in vq->used_elems */ - while (steps <=3D max_steps) { + while (steps < max_steps) { /* Found element, set length and mark as filled */ if (vq->used_elems[i].index =3D=3D elem->index) { vq->used_elems[i].len =3D len; @@ -948,8 +948,18 @@ static void virtqueue_ordered_fill(VirtQueue *vq, cons= t VirtQueueElement *elem, break; } =20 - i +=3D vq->used_elems[i].ndescs; - steps +=3D vq->used_elems[i].ndescs; + ndescs =3D vq->used_elems[i].ndescs; + + /* Defensive sanity check */ + if (unlikely(ndescs =3D=3D 0 || ndescs > vq->vring.num)) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: %s invalid ndescs %u at position %u\n", + __func__, vq->vdev->name, ndescs, i); + return; + } + + i +=3D ndescs; + steps +=3D ndescs; =20 if (i >=3D vq->vring.num) { i -=3D vq->vring.num; --=20 2.47.2