1. Patchew
  2. QEMU
  3. [RFC PATCH v3 0/7] Support mapping virtio-gpu virgl hostmem blobs using MAP_FIXED API
  4. View patch

[RFC PATCH v3 2/7] virtio-gpu: Validate hostmem mapping offset

Dmitry Osipenko posted 7 patches 8 hours ago
Maintainers: "Michael S. Tsirkin" <mst@redhat.com>, "Alex Bennée" <alex.bennee@linaro.org>, Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>, Dmitry Osipenko <dmitry.osipenko@collabora.com>
[RFC PATCH v3 2/7] virtio-gpu: Validate hostmem mapping offset
Posted by Dmitry Osipenko 8 hours ago 
Check hostmem mapping boundaries originated from guest.

Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
---
 hw/display/virtio-gpu-virgl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index a6860f63b563..cf1da4b79626 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -126,6 +126,14 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
         return -EOPNOTSUPP;
     }
 
+    if (offset + res->base.blob_size > b->conf.hostmem ||
+        offset + res->base.blob_size < offset) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: failed to map virgl resource: invalid offset\n",
+                      __func__);
+        return -1;
+    }
+
     ret = virgl_renderer_resource_map(res->base.resource_id, &data, &size);
     if (ret) {
         qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map virgl resource: %s\n",
-- 
2.51.1
Re: [RFC PATCH v3 2/7] virtio-gpu: Validate hostmem mapping offset
Posted by Akihiko Odaki 7 hours ago 
On 2025/11/20 13:06, Dmitry Osipenko wrote:
> Check hostmem mapping boundaries originated from guest.
> 
> Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
> ---
>   hw/display/virtio-gpu-virgl.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
> index a6860f63b563..cf1da4b79626 100644
> --- a/hw/display/virtio-gpu-virgl.c
> +++ b/hw/display/virtio-gpu-virgl.c
> @@ -126,6 +126,14 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
>           return -EOPNOTSUPP;
>       }
>   
> +    if (offset + res->base.blob_size > b->conf.hostmem ||
> +        offset + res->base.blob_size < offset) {
> +        qemu_log_mask(LOG_GUEST_ERROR,
> +                      "%s: failed to map virgl resource: invalid offset\n",
> +                      __func__);
> +        return -1;

The last returned error is -EOPNOTSUPP but this returns -1, which does 
not look right.

QEMU should also return VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER if this 
check fails.

> +    }
> +
>       ret = virgl_renderer_resource_map(res->base.resource_id, &data, &size);
>       if (ret) {
>           qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map virgl resource: %s\n",

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.