From nobody Wed Apr 8 04:48:38 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1773178126; cv=none; d=zohomail.com; s=zohoarc; b=d9EDzlHW90LdGYrkLADL5Ny7nt+Wfs85IowkXZg9mabxfK2ARVG2I4L5KultAvHeK3/ZJ8W3S9EOrtQeHN0p/ACt8T4akdZiaLi22+w4GyUcIgMAr8jh/5NGe0dukBUjc1aBgjQw5nnXADsMQ9IQTJ4Rdom2owdZtd4InnWAcnI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773178126; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=JIfA6sZXnB6rXP8xNkObgz5V4hkQf7uJ5hQYVnQYXEQ=; b=C3TPftoQqw3QgENNK51RaDBus1nRItEODJ5a9GNqt97XHnlZZUaOKeWYStlrs+LxP2dUXnVxqch6EO7pR+sJ+tE2r6cZ/mvdH8dzL0nIatYKN3D3lGsecAC484VdBSzF8XBs/rhG2msqruoXoTrzkcy1g8MgVA5U5rVVhl116xg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773178126315451.2306503097682; Tue, 10 Mar 2026 14:28:46 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w04cZ-0002Ng-SN; Tue, 10 Mar 2026 17:28:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w04cU-0002Mj-1w for qemu-devel@nongnu.org; Tue, 10 Mar 2026 17:28:02 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w04cS-0006Jt-ID for qemu-devel@nongnu.org; Tue, 10 Mar 2026 17:28:01 -0400 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-5-Y9zDP8IoPBeHqYlpR6xIlg-1; Tue, 10 Mar 2026 17:27:55 -0400 Received: from mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D90A51956094; Tue, 10 Mar 2026 21:27:53 +0000 (UTC) Received: from localhost (unknown [10.44.22.6]) by mx-prod-int-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 1EAA23002D0D; Tue, 10 Mar 2026 21:27:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1773178079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JIfA6sZXnB6rXP8xNkObgz5V4hkQf7uJ5hQYVnQYXEQ=; b=CIg3GAOu7F/kMkaNNwhE2zyHp7BtfAPltS17DE8Ln7Jw6IiVvim/g7zRtrEIvVac794rWm Mu7Sx9Z8lj96IPnipyChpqKrH5wTYkQyfLP3u1QngBy3bRmaN8jGPZ6mc4LwENEWRQIb1X JA1Hb1QTZ1/MyZuA3RougjgHgHjR/1U= X-MC-Unique: Y9zDP8IoPBeHqYlpR6xIlg-1 X-Mimecast-MFC-AGG-ID: Y9zDP8IoPBeHqYlpR6xIlg_1773178074 From: =?utf-8?q?Marc-Andr=C3=A9_Lureau?= Date: Wed, 11 Mar 2026 01:26:53 +0400 Subject: [PATCH 1/2] virtio-gpu: fix overflow check when allocating 2d image MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260311-cve-v1-1-f72b4c7c1ab2@redhat.com> References: <20260311-cve-v1-0-f72b4c7c1ab2@redhat.com> In-Reply-To: <20260311-cve-v1-0-f72b4c7c1ab2@redhat.com> To: qemu-devel@nongnu.org Cc: =?utf-8?q?Alex_Benn=C3=A9e?= , Akihiko Odaki , Dmitry Osipenko , "Michael S. Tsirkin" , =?utf-8?q?Marc-Andr=C3=A9_Lureau?= , Zero Day Initiative X-Developer-Signature: v=1; a=openpgp-sha256; l=3880; i=marcandre.lureau@redhat.com; h=from:subject:message-id; bh=6f1ssAgJqcbBR7BR/kVClFuR5FkLbx0ZCP6Lc56oZb4=; b=owEBbQKS/ZANAwAKAdro4Ql1lpzlAcsmYgBpsIzNVscI+YGdUAX7Wbp/1HwE48oDrtcZbb4TF +H79wKzbgeJAjMEAAEKAB0WIQSHqb2TP4fGBtJ29i3a6OEJdZac5QUCabCMzQAKCRDa6OEJdZac 5WIMD/0UhDJ8ZoWxn+iPfJ6qUIFjdRSeTr/PXF9jPnJaMVqjUSzxNatv+GagHMh01LODKemsAP1 2IPHHXstpW0xeViYRH+sdKP26V/eWPMcawirT0dX2iibuYv/Sl7Vvy8LXWYdqQ+3ncXrC5mvoI/ yLmPPLGuulBHNuKGiihzLVfZeDWwQFzmwa9sSn6TkEBipHhdVuAtr4+nbhvzDjliKcZpfOqrGKq SJwB9G43lpn758ZMMDhTV2qcWz8fa0hjEKtDI+JJUBFLpMxlcZx1dCHReMUgLeXOu93DH1aZx3y VC7x/z23x6Hvs55F1cfM4mw+2vrNmA10KCaNoYqqjbYafkA+yDnq/C2JV2hJ4sZm0WrDMlFGuOr MiEVrcjGpn1wZhEchL4iUs4Vcxctox+ErnBg3C+i2qsxTSISlOCXUtdQkvTEH630mVGvPFIQpld gSPSdOqnRDnqdg/SkkTx/vjKzkHoevGADAaEk4y4dFZ3heKJqoW5Wn31v79LiPaxGZ4912wqvR9 9ynxcHcsf+AjxHbQqAWpqONVyTPGH3BgfONsqXbAKmGr/QVq7R6Z2shLV++mVl9HV0onjsbXLJR K6c4HKFzz8Ds/5cCWap5hr53S4CV10cczuAgazMiCalZXhzAoBaYvTsbJ01+rHfslm4AJlhVqtT V5MUWpKDK/R/WGA== X-Developer-Key: i=marcandre.lureau@redhat.com; a=openpgp; fpr=87A9BD933F87C606D276F62DDAE8E10975969CE5 X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.4 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.129.124; envelope-from=marcandre.lureau@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -3 X-Spam_score: -0.4 X-Spam_bar: / X-Spam_report: (-0.4 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1773178128667158500 The calc_image_hostmem() comment says pixman_image_create_bits() checks for overflow. However, this relied on the facts that "bits" was NULL and it performed it when it was introduced. Since commit 9462ff4695aa, the "bits" argument can be provided and the check is no longer applied. Promotes the computation to uint64_t and adds an explicit overflow check to avoid potential later OOB read/write on the image data. Fixes: CVE-2026-3886 Fixes: ZDI-CAN-27578 Fixes: 9462ff4695aa ("virtio-gpu/win32: allocate shareable 2d resources/ima= ges") Reported-by: Zero Day Initiative Signed-off-by: Marc-Andr=C3=A9 Lureau --- hw/display/virtio-gpu.c | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/hw/display/virtio-gpu.c b/hw/display/virtio-gpu.c index de7a86a73d2..468ea6ab0fb 100644 --- a/hw/display/virtio-gpu.c +++ b/hw/display/virtio-gpu.c @@ -227,16 +227,20 @@ void virtio_gpu_get_edid(VirtIOGPU *g, virtio_gpu_ctrl_response(g, cmd, &edid.hdr, sizeof(edid)); } =20 -static uint32_t calc_image_hostmem(pixman_format_code_t pformat, - uint32_t width, uint32_t height) +static bool calc_image_hostmem(pixman_format_code_t pformat, + uint32_t width, uint32_t height, + uint32_t *hostmem) { - /* Copied from pixman/pixman-bits-image.c, skip integer overflow check. - * pixman_image_create_bits will fail in case it overflow. - */ + uint64_t bpp =3D PIXMAN_FORMAT_BPP(pformat); + uint64_t stride =3D (((uint64_t)width * bpp + 0x1f) >> 5) * sizeof(uin= t32_t); + uint64_t size =3D (uint64_t)height * stride; =20 - int bpp =3D PIXMAN_FORMAT_BPP(pformat); - int stride =3D ((width * bpp + 0x1f) >> 5) * sizeof(uint32_t); - return height * stride; + if (size > UINT32_MAX) { + return false; + } + + *hostmem =3D size; + return true; } =20 static void virtio_gpu_resource_create_2d(VirtIOGPU *g, @@ -246,6 +250,7 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, pixman_format_code_t pformat; struct virtio_gpu_simple_resource *res; struct virtio_gpu_resource_create_2d c2d; + uint32_t hostmem; =20 VIRTIO_GPU_FILL_CMD(c2d); virtio_gpu_bswap_32(&c2d, sizeof(c2d)); @@ -284,7 +289,12 @@ static void virtio_gpu_resource_create_2d(VirtIOGPU *g, return; } =20 - res->hostmem =3D calc_image_hostmem(pformat, c2d.width, c2d.height); + if (!calc_image_hostmem(pformat, c2d.width, c2d.height, &hostmem)) { + qemu_log_mask(LOG_GUEST_ERROR, "%s: image dimensions overflow\n", + __func__); + goto end; + } + res->hostmem =3D hostmem; if (res->hostmem + g->hostmem < g->conf_max_hostmem) { if (!qemu_pixman_image_new_shareable( &res->image, @@ -1292,7 +1302,7 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque,= size_t size, VirtIOGPU *g =3D opaque; Error *err =3D NULL; struct virtio_gpu_simple_resource *res; - uint32_t resource_id, pformat; + uint32_t resource_id, pformat, hostmem; int i, ret; =20 g->hostmem =3D 0; @@ -1318,7 +1328,11 @@ static int virtio_gpu_load(QEMUFile *f, void *opaque= , size_t size, return -EINVAL; } =20 - res->hostmem =3D calc_image_hostmem(pformat, res->width, res->heig= ht); + if (!calc_image_hostmem(pformat, res->width, res->height, &hostmem= )) { + g_free(res); + return -EINVAL; + } + res->hostmem =3D hostmem; if (!qemu_pixman_image_new_shareable(&res->image, &res->share_handle, "virtio-gpu res", --=20 2.53.0