From nobody Tue Apr 7 21:44:30 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1773241909; cv=none; d=zohomail.com; s=zohoarc; b=MqjaZxAriNQH8gN9t/F8sVj84SSV9f4xuBrqfk49v76qGx5/C0ocC9ii2hYCdfz0YN3pE1Ddj6V5eE/JyInqNXK0CKXkvxoHB0/i9Kg1O8hFf89Ncc6BSw4EWXfuYt+AksQ00oVR33KjDZhE8RDfDDV7hpxvZsK7hjtGy/AxkMs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1773241909; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ad5nKP6LMd1LEDKeRYr4Oaj6LDwDKR351cR+OyD2KSo=; b=nayN4Oc8z2tmNQX6SJA3TT55cqQx2nk4h3I/eO+M8Vt7z5uujduDAg0q3gKN1dL3OjjIynmSgerVMY79bgvfSdHfTpZBe6OOFbn2viGdMv7iQm56T99h/qGKkAgf9JwLoBSkbX7VfZatfUrif5qQV5M49nTAF5v/m6DRd9iIyzc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1773241909083479.247196017903; Wed, 11 Mar 2026 08:11:49 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w0LBw-00021I-Re; Wed, 11 Mar 2026 11:09:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0LAl-0006ZG-Ng; Wed, 11 Mar 2026 11:08:32 -0400 Received: from isrv.corpit.ru ([212.248.84.144]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w0LAk-0005Yu-9u; Wed, 11 Mar 2026 11:08:31 -0400 Received: from tsrv.corpit.ru (tsrv.tls.msk.ru [192.168.177.2]) by isrv.corpit.ru (Postfix) with ESMTP id 3CD52191E95; Wed, 11 Mar 2026 18:04:42 +0300 (MSK) Received: from think4mjt.tls.msk.ru (mjtthink.wg.tls.msk.ru [192.168.177.146]) by tsrv.corpit.ru (Postfix) with ESMTP id 2992F37C2D6; Wed, 11 Mar 2026 18:05:20 +0300 (MSK) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tls.msk.ru; s=202602; t=1773241482; bh=LgH8KYxOi8GRUGWnbzF3XW3/9o4LU+rtDfY/7m1mayc=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=B8is/rtz7rVXMqkrxRmuKfthbCaxkbt+Bn6FQy0n3AqAtvbqGPD26QhX9fDVA4fEv Z5VUCVAQJuijvo6y+xGDUwQMZPUNxtPUocatkWhj3rhYZiIRG3ZefTKuDkhQgWRwQU Ft2kjCR/eEz6dTQkNkCLNZ6HXUrKTVRdiL4elCOddcON40qjfSrSUIeVLwADNEL0rZ UTXcKTTvpER92A1AgtJY6YSO1lpP3glHNCJMdShF7xTB/aJ0S0VrUboky9Nu48Obtd ZoWQ/K3z/uslV7EhsW5TUdwfZ80F/pCnuHXT2r857oyEwmxHafxKjD83rhhF+NXITf JARS5SRVbVuwQ== From: Michael Tokarev To: qemu-devel@nongnu.org Cc: qemu-stable@nongnu.org, Manos Pitsidianakis , DARKNAVY , "Michael S. Tsirkin" , Michael Tokarev Subject: [Stable-10.1.5 18/46] virtio-snd: fix max_size bounds check in input cb Date: Wed, 11 Mar 2026 18:02:54 +0300 Message-ID: <20260311150327.1084669-18-mjt@tls.msk.ru> X-Mailer: git-send-email 2.47.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=212.248.84.144; envelope-from=mjt@tls.msk.ru; helo=isrv.corpit.ru X-Spam_score_int: -2 X-Spam_score: -0.3 X-Spam_bar: / X-Spam_report: (-0.3 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.819, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.903, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @tls.msk.ru) X-ZM-MESSAGEID: 1773241910776158500 Content-Type: text/plain; charset="utf-8" From: Manos Pitsidianakis In 98e77e3d we calculated the max size and checked that each buffer is smal= ler than it. We neglected to subtract the size of the virtio_snd_pcm_status header from the max size, and max_size was thus larger than the correct value, leading to potential OOB writes. If the buffer cannot fit the header or can fit only the header, return the buffer immediately. Cc: qemu-stable@nongnu.org Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size = bounds check in input cb") Reported-by: DARKNAVY Signed-off-by: Manos Pitsidianakis Reviewed-by: Michael S. Tsirkin Signed-off-by: Michael S. Tsirkin Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org> (cherry picked from commit bcb53328aa70023f1405fade4e253e7f77567261) Signed-off-by: Michael Tokarev diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 38d9a9712c..effae20bf0 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -1255,6 +1255,12 @@ static void virtio_snd_pcm_in_cb(void *data, int ava= ilable) } =20 max_size =3D iov_size(buffer->elem->in_sg, buffer->elem->in_nu= m); + if (max_size <=3D sizeof(virtio_snd_pcm_status)) { + return_rx_buffer(stream, buffer); + continue; + } + max_size -=3D sizeof(virtio_snd_pcm_status); + for (;;) { if (buffer->size >=3D max_size) { return_rx_buffer(stream, buffer); --=20 2.47.3