From nobody Sun Apr 12 00:57:46 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1772643466; cv=none; d=zohomail.com; s=zohoarc; b=SSWmITdiZHjwdVS84+SE0zK/v9IfuPjK4666QGLxhd4LAtutGRxirL6nfTTlFZT1EL74ETceVnXiY0AJbO2IQ60tQgHYRTBTH/Yc/j/Lzw0OyVkkk4Ky8VBNECxPG/AIiCd5CLxUOQbWy2PTChYpaWF8ptQgKVYs2dca+HIeQJg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772643466; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=dZE+DbnvVFmXd+2ruIxq3RTojaKZzSNmRAGkBSCjGF0=; b=gByJzZL0O8Db8F3hB44OMnguAEmmABMhfbk4fuUvHnuwWDdIG0gh2jq+to5mvA1Dn6bPQpOVV4/DM/VLnJ40Q7YThk4ACZL3obwo1Oa2noX5DbtXgruVysQ9PMiUchCu8BoAlVIJFNLQyyUCcOc2UYLyFUSsVDM2d59bEvHYRDc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772643466573528.3955557188474; Wed, 4 Mar 2026 08:57:46 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vxpX5-00074j-Jm; Wed, 04 Mar 2026 11:57:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vxpX4-000737-EM for qemu-devel@nongnu.org; Wed, 04 Mar 2026 11:57:10 -0500 Received: from mail-ed1-x530.google.com ([2a00:1450:4864:20::530]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1vxpX1-0003xn-8N for qemu-devel@nongnu.org; Wed, 04 Mar 2026 11:57:10 -0500 Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-65f980cea07so10544936a12.0 for ; Wed, 04 Mar 2026 08:57:03 -0800 (PST) Received: from draig.lan ([185.124.0.126]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-660ce1727d2sm1469813a12.27.2026.03.04.08.57.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Mar 2026 08:57:00 -0800 (PST) Received: from draig.lan (localhost [IPv6:::1]) by draig.lan (Postfix) with ESMTP id 41A815F832; Wed, 04 Mar 2026 16:50:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1772643422; x=1773248222; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dZE+DbnvVFmXd+2ruIxq3RTojaKZzSNmRAGkBSCjGF0=; b=aUa524PBYhCMQ1J9QDFCf2JMklSgmUr9dsnxXRboGwTSIejjtyT0iSqwuHAYDbTVeu nF+J98zRxZhYKDHCytJgTxdorJ4d4Ee42jPwAkAdmEWtBkKtY1NQauuKc3rjefkdsHIO wYPquJuI5bGoNzXaeMk75Ne/bl6jjIqM5G/NzjGDyvV80bGgh1tc274QSrIyEfvN8nVO d+UUVU8mgDNMoy8oKEywdEeGjmWNBhsMfDEkQb13EOWSPwsRHvKDxF/3pJwzZfi/pPN1 dt1iKlcTeABgh+6vZN0QFHhtbwOIKPTMEVFCdymxXwzniHmMs498wqlcGLexY+QUmXtw hSBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772643422; x=1773248222; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=dZE+DbnvVFmXd+2ruIxq3RTojaKZzSNmRAGkBSCjGF0=; b=Jia5bLsrDEpQqfNZvU2gD3sZs/JZFMNbQmG8fKGUg6okfYCQC/oBtEF/WVlu8jrbFa JI89hjL+hwl7afLD1q8nyampTRf8wL4/bOrfjpIhkzc6bvlNZR1HY2ehTlBu497BIrIE xEzp7rfkEkd01shkHzBZO+O+Ggv7Agl4UmJMsdoVkv3eZ+Ia2ZrThUoOWvhzNOW9IdPx UhO/m4falzBLomba8j7Xnrc49xvhuBl7PnSKcSWXDKT0ZNt+AmAKwThHBfXx3UtwY1qs 8QLjVDdTIiwLq20vR0W5rOEQcs1kaa9DqeBn/RXVieJ4px7mov4S5Yt9d/fN7wdME6cy eALg== X-Gm-Message-State: AOJu0YxKA66OscSRw7sXnAiWfHXxyeNuvBehNPPVE9r3Q3KJja5MOehG vZGP1MQD6jCLTUxJVhqynH6Oujk8nsclMwYY/sFyE8eWBiBABIosocAw7CoKTUHF26E= X-Gm-Gg: ATEYQzxSqApEHVUZhxkiD2o17m7s11/f9W3MGmbaA+7GadgPoCkfHQNwQDr6/hpB+Oh ljJ7p1wDxS2F8cwc5PwRGzc0B/xB9zQQglIRWPCTlWudT/3Nxf5VRuuU5P/TlK37pPWUyyJVCFE HIu2X6QNtfvXq9yehjMP3M/l3B7SsxK/2ziLxboX5yXbQyC62wRCbkx8FnCETWCPAzN/a1xhhOb v5BxxVgXTF4s12wPFbkKy18nQ+Q9jBMTHTkAgIwKM0A6QNrxTNJhMEAGecRoBB9lXnyyK5WGDgU VuWwX5zYBmBCHfSdxhcL3gvU3/Iuy95ZZLJN2M5tdhwLwzB+0ZWE7N4Gir7uIYAEAQ/mxGMkAU+ onQOfeIsxXyF+qphaUOZMEvgMaGdUfPvx3QRkiVTu5LAgiNsx6zOE0KL2U6nAydMz72GGrsZ6Ey jHDrqaFB40NmjPbWaZMfAyNiA1tbkiC+uemQ== X-Received: by 2002:a05:6402:440b:b0:658:b87a:6eba with SMTP id 4fb4d7f45d1cf-660f00d29bemr1530969a12.16.1772643422461; Wed, 04 Mar 2026 08:57:02 -0800 (PST) From: =?UTF-8?q?Alex=20Benn=C3=A9e?= To: qemu-devel@nongnu.org Cc: Peter Xu , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , David Hildenbrand , =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= , Markus Armbruster , Akihiko Odaki , Pierrick Bouvier , =?UTF-8?q?Alex=20Benn=C3=A9e?= , Paolo Bonzini , Eric Blake , "Michael S. Tsirkin" , Dmitry Osipenko , =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= , Akihiko Odaki Subject: [PATCH 17/20] virtio-gpu: Validate hostmem mapping offset Date: Wed, 4 Mar 2026 16:50:39 +0000 Message-ID: <20260304165043.1437519-18-alex.bennee@linaro.org> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260304165043.1437519-1-alex.bennee@linaro.org> References: <20260304165043.1437519-1-alex.bennee@linaro.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::530; envelope-from=alex.bennee@linaro.org; helo=mail-ed1-x530.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1772643468413154100 Content-Type: text/plain; charset="utf-8" From: Dmitry Osipenko Check hostmem mapping boundaries originated from guest. Suggested-by: Akihiko Odaki Reviewed-by: Akihiko Odaki Signed-off-by: Dmitry Osipenko Message-ID: <20260303151422.977399-16-dmitry.osipenko@collabora.com> --- hw/display/virtio-gpu-virgl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c index abf7c176a65..f4d1113827e 100644 --- a/hw/display/virtio-gpu-virgl.c +++ b/hw/display/virtio-gpu-virgl.c @@ -791,6 +791,7 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g, struct virtio_gpu_resource_map_blob mblob; struct virtio_gpu_virgl_resource *res; struct virtio_gpu_resp_map_info resp; + VirtIOGPUBase *b =3D VIRTIO_GPU_BASE(g); int ret; =20 VIRTIO_GPU_FILL_CMD(mblob); @@ -804,6 +805,15 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g, return; } =20 + if (mblob.offset + res->base.blob_size > b->conf.hostmem || + mblob.offset + res->base.blob_size < mblob.offset) { + qemu_log_mask(LOG_GUEST_ERROR, + "%s: failed to map virgl resource: invalid offset\n", + __func__); + cmd->error =3D VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER; + return; + } + ret =3D virtio_gpu_virgl_map_resource_blob(g, res, mblob.offset); if (ret) { cmd->error =3D VIRTIO_GPU_RESP_ERR_UNSPEC; --=20 2.47.3