virtio-snd OOB fixes

[PATCH 4/5] virtio-snd: fix max_size bounds check in input cb

Posted by Manos Pitsidianakis 1 month, 2 weeks ago

In 98e77e3d we calculated the max size and checked that each buffer is smaller than it.

We neglected to subtract the size of the virtio_snd_pcm_status header
from the max size, and max_size was thus larger than the correct value,
leading to potential OOB writes.

If the buffer cannot fit the header or can fit only the header, return
the buffer immediately.

Cc: qemu-stable@nongnu.org
Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb")
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
---
 hw/audio/virtio-snd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index e9c24d679538f0d375c7da05a836833b0897f698..3437211f7904ac77265d8ace8c1a5a582c0be96d 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1255,6 +1255,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available)
             }
 
             max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num);
+            if (max_size <= sizeof(virtio_snd_pcm_status)) {
+                return_rx_buffer(stream, buffer);
+                continue;
+            }
+            max_size -= sizeof(virtio_snd_pcm_status);
+
             for (;;) {
                 if (buffer->size >= max_size) {
                     return_rx_buffer(stream, buffer);

-- 
2.47.3

[PATCH 1/5] MAINTAINERS: add me as maintainer to virtio-snd
[PATCH 2/5] virtio-snd: remove TODO comments
[PATCH 3/5] virtio-snd: handle 5.14.6.2 for PCM_INFO properly
[PATCH 4/5] virtio-snd: fix max_size bounds check in input cb
[PATCH 5/5] virtio-snd: tighten read amount in in_cb