From nobody Sat Apr 11 17:07:48 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1775765300; cv=none; d=zohomail.com; s=zohoarc; b=nCgC7vYjwv+3HSMc1FslSNjBxbsu39vOfRI5EEqP7vyYxNaxOnW9lmLXq3/phDCGjJiFmKr5pTYfLnHWf9a1EHExQKSgQD+aGzMn8jajy7Fs0taOSOFNf5yfr/BmnPlcVOdqwinIHiU8BJr2l2z6u23GcjgcK048OMYoydxBzos= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775765300; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=1LQGcRftzhGJm3QcMdhHa1fN3Kt6KBJ+e/YYGlpAMFA=; b=JzzyBBmuKtqAlrTGrqashp4UOBUuX+1g5m7e/949KyIklrdRIUVJUxJBQywBcG84KPlOsDANoXe8Dd5T96cANBlU1xXhLZmkkkT5xV895FkH6+beOCvTcvypnld9k02NNfAYm5mYYdpdJuCb/JJWHQpKOq7v7O5R8WmjtNhEdjk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775765300092493.0565364367193; Thu, 9 Apr 2026 13:08:20 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wAvfb-0007Sm-1q; Thu, 09 Apr 2026 16:08:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wAvfZ-0007Re-0P for qemu-devel@nongnu.org; Thu, 09 Apr 2026 16:08:05 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wAvfV-0003Jk-Te for qemu-devel@nongnu.org; Thu, 09 Apr 2026 16:08:04 -0400 Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-374-NuUX-iAiPoaBkXGDRqMtfw-1; Thu, 09 Apr 2026 16:07:56 -0400 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id EC9881955F29; Thu, 9 Apr 2026 20:07:53 +0000 (UTC) Received: from localhost (unknown [10.44.34.179]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E3438180035F; Thu, 9 Apr 2026 20:07:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1775765279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=1LQGcRftzhGJm3QcMdhHa1fN3Kt6KBJ+e/YYGlpAMFA=; b=H7PerjWoUv6HwOsHUSY7jFpgpx6Nz80WpZ/32lt+u1c7lmyNG9nZ8p0tAVbsFUt/zZ+VBj 9n6LLSYvPdxD8MkipZUtTUmsNCSlGfXtFfwBN5QDdHlMWvnPbkXXSdaDkP/3LvtraNQBqd 8Ca9LY47j4SIfRbtAXUh7qlD9F8XS2o= X-MC-Unique: NuUX-iAiPoaBkXGDRqMtfw-1 X-Mimecast-MFC-AGG-ID: NuUX-iAiPoaBkXGDRqMtfw_1775765274 From: Stefan Hajnoczi To: qemu-devel@nongnu.org Cc: Hanna Reitz , Stefan Hajnoczi , , qemu-block@nongnu.org, Kevin Wolf , Peter Maydell , "Michael S. Tsirkin" , Sam Li , Damien Le Moal , Dmitry Fomichev , Mingyuan Luo Subject: [PATCH for-11.0] virtio-blk: fix zone report buffer out-of-memory (CVE-2026-5761) Date: Thu, 9 Apr 2026 16:07:49 -0400 Message-ID: <20260409200749.458162-1-stefanha@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=stefanha@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: 7 X-Spam_score: 0.7 X-Spam_bar: / X-Spam_report: (0.7 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.54, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_SBL_CSS=3.335, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1775765302527158500 Content-Type: text/plain; charset="utf-8" An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT requests. The buffer's size is controlled by the guest. A large value can result in g_malloc() failure and the QEMU process aborts, resulting in a Denial of Service (DoS) (most likely in cases where an untrusted guest application or a nested guest with virtio-blk passthrough is able to abort QEMU). Modify the zone report implementation to work incrementally with a bounded buffer size. This is purely a QEMU implementation issue and no VIRTIO spec changes are needed. Mingyuan Luo found this bug and provided a reproducer which I haven't put into tests/qtest/ because it requires a zoned storage device (e.g. root and modprobe null_blk): 1) Prepare a zoned nullblk backend (/dev/nullb0): sudo modprobe -r null_blk || true sudo modprobe null_blk nr_devices=3D1 zoned=3D1 sudo chmod 0666 /dev/nullb0 cat /sys/block/nullb0/queue/zoned 2) Create qtest input: cat >/tmp/vblk-zone-report-oom.qtest <<'EOF' outl 0xcf8 0x80002004 outw 0xcfc 0x0007 outl 0xcf8 0x80002010 outl 0xcfc 0x0000c001 outb 0xc012 0x00 outb 0xc012 0x01 outb 0xc012 0x03 outl 0xc004 0x00000000 outw 0xc00e 0x0000 outl 0xc008 0x00000100 outb 0xc012 0x07 writel 0x00020000 0x00000010 writel 0x00020004 0x00000000 writeq 0x00020008 0x0000000000000000 writeq 0x00100000 0x0000000000020000 writel 0x00100008 0x00000010 writew 0x0010000c 0x0001 writew 0x0010000e 0x0001 EOF for i in $(seq 1 1022); do d=3D$((0x00100000 + i * 16)) n=3D$((i + 1)) printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o= om.qtest printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom= .qtest printf 'writew 0x%08x 0x0003\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt= est printf 'writew 0x%08x 0x%04x\n' $((d + 14)) "$n" >> /tmp/vblk-zone-report-o= om.qtest done d=3D$((0x00100000 + 1023 * 16)) printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-o= om.qtest printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom= .qtest printf 'writew 0x%08x 0x0002\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qt= est printf 'writew 0x%08x 0x0000\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qt= est cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF' writew 0x00104000 0x0000 writew 0x00104002 0x0001 writew 0x00104004 0x0000 outw 0xc010 0x0000 EOF 3) Run the qtest input with ASAN build (compile qemu with --enable-asan): build/qemu-system-x86_64 -display none \ -accel qtest -qtest stdio \ -machine pc -nodefaults -m 512M -monitor none -serial none \ -blockdev driver=3Dhost_device,node-name=3Ddisk0,filename=3D/dev/nullb0 \ -device virtio-blk-pci-transitional,drive=3Ddisk0,addr=3D04.0,queue-size=3D= 1024 \ < /tmp/vblk-zone-report-oom.qtest Cc: Sam Li Cc: Damien Le Moal Cc: Dmitry Fomichev Fixes: CVE-2026-5761 Fixes: 4f7366506a9 ("virtio-blk: add zoned storage emulation for zoned devi= ces") Reported-by: Mingyuan Luo Signed-off-by: Stefan Hajnoczi Reviewed-by: Damien Le Moal --- hw/block/virtio-blk.c | 100 ++++++++++++++++++++++++++++-------------- 1 file changed, 67 insertions(+), 33 deletions(-) diff --git a/hw/block/virtio-blk.c b/hw/block/virtio-blk.c index ddf0e9ee53..7fd883320a 100644 --- a/hw/block/virtio-blk.c +++ b/hw/block/virtio-blk.c @@ -38,6 +38,9 @@ #include "hw/virtio/virtio-blk-common.h" #include "qemu/coroutine.h" =20 +/* Internal buffer size limit for zone report */ +#define VIRTIO_BLK_MAX_ZONES_PER_BATCH 4096 + static void virtio_blk_ioeventfd_attach(VirtIOBlock *s); =20 static void virtio_blk_init_request(VirtIOBlock *s, VirtQueue *vq, @@ -447,15 +450,22 @@ err: return err_status; } =20 +typedef struct { + unsigned int total_nr_zones; /* max zones to fill in this request */ + unsigned int nr_zones_done; /* how many zones have been filled in = */ + int64_t iov_offset; /* current byte position in in_iov[] */ + int64_t offset; /* current zone report disk offset */ + unsigned int nr_zones; /* for zone report calls */ + unsigned int zones_per_batch; /* size of zone report buffer */ + BlockZoneDescriptor *zones; /* zone report buffer */ +} ZoneReportData; + typedef struct ZoneCmdData { VirtIOBlockReq *req; struct iovec *in_iov; unsigned in_num; union { - struct { - unsigned int nr_zones; - BlockZoneDescriptor *zones; - } zone_report_data; + ZoneReportData zone_report_data; struct { int64_t offset; } zone_append_data; @@ -512,16 +522,15 @@ static bool check_zoned_request(VirtIOBlock *s, int64= _t offset, int64_t len, static void virtio_blk_zone_report_complete(void *opaque, int ret) { ZoneCmdData *data =3D opaque; + ZoneReportData *zrd =3D &data->zone_report_data; VirtIOBlockReq *req =3D data->req; VirtIODevice *vdev =3D VIRTIO_DEVICE(req->dev); struct iovec *in_iov =3D data->in_iov; unsigned in_num =3D data->in_num; - int64_t zrp_size, n, j =3D 0; - int64_t nz =3D data->zone_report_data.nr_zones; + int64_t n; + int64_t nz =3D zrd->nr_zones; int8_t err_status =3D VIRTIO_BLK_S_OK; - struct virtio_blk_zone_report zrp_hdr =3D (struct virtio_blk_zone_repo= rt) { - .nr_zones =3D cpu_to_le64(nz), - }; + struct virtio_blk_zone_report zrp_hdr =3D {}; =20 trace_virtio_blk_zone_report_complete(vdev, req, nz, ret); if (ret) { @@ -529,28 +538,18 @@ static void virtio_blk_zone_report_complete(void *opa= que, int ret) goto out; } =20 - zrp_size =3D sizeof(struct virtio_blk_zone_report) - + sizeof(struct virtio_blk_zone_descriptor) * nz; - n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr)); - if (n !=3D sizeof(zrp_hdr)) { - virtio_error(vdev, "Driver provided input buffer that is too small= !"); - err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD; - goto out; - } - - for (size_t i =3D sizeof(zrp_hdr); i < zrp_size; - i +=3D sizeof(struct virtio_blk_zone_descriptor), ++j) { + for (size_t j =3D 0; j < nz; j++) { struct virtio_blk_zone_descriptor desc =3D (struct virtio_blk_zone_descriptor) { - .z_start =3D cpu_to_le64(data->zone_report_data.zones[j].s= tart + .z_start =3D cpu_to_le64(zrd->zones[j].start >> BDRV_SECTOR_BITS), - .z_cap =3D cpu_to_le64(data->zone_report_data.zones[j].cap + .z_cap =3D cpu_to_le64(zrd->zones[j].cap >> BDRV_SECTOR_BITS), - .z_wp =3D cpu_to_le64(data->zone_report_data.zones[j].wp + .z_wp =3D cpu_to_le64(zrd->zones[j].wp >> BDRV_SECTOR_BITS), }; =20 - switch (data->zone_report_data.zones[j].type) { + switch (zrd->zones[j].type) { case BLK_ZT_CONV: desc.z_type =3D VIRTIO_BLK_ZT_CONV; break; @@ -564,7 +563,7 @@ static void virtio_blk_zone_report_complete(void *opaqu= e, int ret) g_assert_not_reached(); } =20 - switch (data->zone_report_data.zones[j].state) { + switch (zrd->zones[j].state) { case BLK_ZS_RDONLY: desc.z_state =3D VIRTIO_BLK_ZS_RDONLY; break; @@ -594,18 +593,47 @@ static void virtio_blk_zone_report_complete(void *opa= que, int ret) } =20 /* TODO: it takes O(n^2) time complexity. Optimizations required. = */ - n =3D iov_from_buf(in_iov, in_num, i, &desc, sizeof(desc)); + n =3D iov_from_buf(in_iov, in_num, zrd->iov_offset, &desc, sizeof(= desc)); if (n !=3D sizeof(desc)) { virtio_error(vdev, "Driver provided input buffer " "for descriptors that is too small!"); err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD; + goto out; } + + zrd->iov_offset +=3D sizeof(desc); + } + + if (nz > 0) { + BlockZoneDescriptor *zone =3D &zrd->zones[nz - 1]; + zrd->offset =3D zone->start + zone->length; + } + + zrd->nr_zones_done +=3D nz; + + /* Call zone report again if the end hasn't been reached yet */ + if (nz =3D=3D zrd->zones_per_batch && + zrd->nr_zones_done < zrd->total_nr_zones) { + zrd->nr_zones =3D MIN(zrd->zones_per_batch, + zrd->total_nr_zones - zrd->nr_zones_done); + blk_aio_zone_report(req->dev->blk, zrd->offset, &zrd->nr_zones, + zrd->zones, virtio_blk_zone_report_complete, d= ata); + return; + } + + /* Fill in header now that all zones have been reported */ + zrp_hdr.nr_zones =3D cpu_to_le64(zrd->nr_zones_done); + n =3D iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr)); + if (n !=3D sizeof(zrp_hdr)) { + virtio_error(vdev, "Driver provided input buffer that is too small= !"); + err_status =3D VIRTIO_BLK_S_ZONE_INVALID_CMD; + goto out; } =20 out: virtio_blk_req_complete(req, err_status); g_free(req); - g_free(data->zone_report_data.zones); + g_free(zrd->zones); g_free(data); } =20 @@ -617,7 +645,8 @@ static void virtio_blk_handle_zone_report(VirtIOBlockRe= q *req, VirtIODevice *vdev =3D VIRTIO_DEVICE(s); unsigned int nr_zones; ZoneCmdData *data; - int64_t zone_size, offset; + ZoneReportData *zrd; + int64_t offset; uint8_t err_status; =20 if (req->in_len < sizeof(struct virtio_blk_inhdr) + @@ -639,16 +668,21 @@ static void virtio_blk_handle_zone_report(VirtIOBlock= Req *req, trace_virtio_blk_handle_zone_report(vdev, req, offset >> BDRV_SECTOR_BITS, nr_zon= es); =20 - zone_size =3D sizeof(BlockZoneDescriptor) * nr_zones; data =3D g_malloc(sizeof(ZoneCmdData)); data->req =3D req; data->in_iov =3D in_iov; data->in_num =3D in_num; - data->zone_report_data.nr_zones =3D nr_zones; - data->zone_report_data.zones =3D g_malloc(zone_size), =20 - blk_aio_zone_report(s->blk, offset, &data->zone_report_data.nr_zones, - data->zone_report_data.zones, + zrd =3D &data->zone_report_data; + zrd->total_nr_zones =3D nr_zones; + zrd->nr_zones_done =3D 0; + zrd->iov_offset =3D sizeof(struct virtio_blk_zone_report); + zrd->offset =3D offset; + zrd->zones_per_batch =3D MIN(nr_zones, VIRTIO_BLK_MAX_ZONES_PER_BATCH); + zrd->zones =3D g_malloc(zrd->zones_per_batch * sizeof(BlockZoneDescrip= tor)); + + zrd->nr_zones =3D zrd->zones_per_batch; + blk_aio_zone_report(s->blk, offset, &zrd->nr_zones, zrd->zones, virtio_blk_zone_report_complete, data); return; out: --=20 2.53.0