From nobody Sat May 30 20:11:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1776318538; cv=none; d=zohomail.com; s=zohoarc; b=AzdNMij8NP05IA8LHS3538UmicT0aX2I7uLB7dum74+vvJ2c46OhAttCUyMKlFbSIrQolPkdwPkL5mi7RXEPB3Qq+JB0AuHpz5Qe8F3lvQwVV8YiF4DCL2kY9acCOWaEJfVI/+H96ZZOEyDgFiVmAC/ZTmE0LOKoW2FDm6RG7hE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776318538; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=MAobs0eGeHZR/U1cpkdCJ3FlQIclmk2Dvw1Qh2ilSNrZRt5oCuFDdeh+FsScRgpWlVkmNyK/j5kr0SKRtRdZnq0mzAEfc6N9e7nkniYVMP107F/vedBHbQ/4RfP/xO6YXmxfPl9/ls/sdE10jhFhC042rKLvZgjTzKhH8w4H7SA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1776318538509173.75738988730495; Wed, 15 Apr 2026 22:48:58 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wDFaT-0003Sb-99; Thu, 16 Apr 2026 01:48:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wDFaS-0003Rl-4A for qemu-devel@nongnu.org; Thu, 16 Apr 2026 01:48:24 -0400 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wDFaQ-00016e-M4 for qemu-devel@nongnu.org; Thu, 16 Apr 2026 01:48:23 -0400 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-488af96f6b2so99666585e9.0 for ; Wed, 15 Apr 2026 22:48:22 -0700 (PDT) Received: from [127.0.1.1] (athedsl-4440559.home.otenet.gr. [79.129.177.223]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f5818e51sm39201895e9.5.2026.04.15.22.48.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 22:48:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1776318501; x=1776923301; darn=nongnu.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=IArrUbguahQQbnJNRh+q41IDDyB29BNakMvh06/MpLLCTIPDd77HKlx1IBY03vyQyf dssSiYDF3R33GHda6Z1iCY+JNs2/DKPHBkAC7kaK342Yl61rxRlftNpmW2rnabWqVATJ LMdYi4zVdf79h/2O6qWQ6Siq23qjO09P+AOzuMhYPrF7MogXn4ICB5hkA/HJzdufayqo tLn4P1jdcIGgqiiV2PllH2fprZDJD3VwOYYNOnJLw/gYjgyA1aKEqOeL95cPAQcXtTik DurB5dHsIG33AKwBNOHQRrhu48xhrXhPumNaV6KAZudZnUk4h8akhymt7VglCgfw5ACL dpEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776318501; x=1776923301; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=hD2TIkBlBpujty/fEsGUe/LTrHCPNpt+9gu17VcazEtYpsHCv50s8FLjmTENY6CNcv lblK4NvM0xnBQyg6dklymh+Fs0fhOnFku/b3dxaC68+721zB4KFSrxDA5JKAYe75tJ4I b/j/AtIUkUY++bdxNrvU9U9lyznlpwsgAxvKhfYj/3HAIo0RhHBIpLC6TqHmS84t4v76 UWYK/s+hExjBVOA4MKJsZPCgruv1pW+KrJSNXgdxedaRqeUpQNs+OuQhH2Q+1AV8CTJ8 3alab3O4tcn1/tw5JpLSt329cgN/CMmNlPIx2HO1F4KBhluoKCqGtOGGFd/mNYlT0Ry7 I/Vg== X-Gm-Message-State: AOJu0YzE+iY2B7vt4buszG96eKB54XKP/mJSFH414msHrLPVsSdnvvAk s4h+VLxg84a3LiEqxZkUyodmjQlwP5aXt/fMuosTe5yr67yQAkAMkIhQxNxg1EhTHMY= X-Gm-Gg: AeBDievtK/thUvLRg5VbbVP4SP4BP+X4fDlcy4R8hSWAdzEw12a+AunuuEIExLCRgoE +ARN+rdq2e3QUGy5eEMlB68cgHEs/yhThtKgd4K4Am8whVLEmSigemFZBttGuG3ka6OWNcSs2qY WipDZWDV84LCFqbFAdUwU1ar78oRYzUR6Sun7ubwwVMvN84PWW1N9GqOdcSicp4ebQmEgXv3+DN VYhvDN0hgw0fDxp53I0taVPYZ+k+47u9SN0KMkDhjeziZHeEuiApDfZxnOSjm4IU+T2nV2SLcyo IS8NcMqW8amiqFpipXIcVHTt5yUP9vx//PVyMINXibtTxlQhgGOEQAaiXU4OUKEzISKowIzB8BN dJcroIDiEz+N3PpFUwOc+TqIzGBwBxLaKSRRql9kvtFJcqyWg9gFizlHpswebiUwyuN4yx1HwS8 eGm7wYYntPNExTaF/IQ5al+d40fPF14RKvY9AD0qPLUKIfjI7Kb3QJAKIZJARdJTwuH3UEK9GC2 i7BtCapaOQXk/22tq5YmqLF23bCKQai980hhsJQ X-Received: by 2002:a05:600c:871a:b0:488:a2ac:a34a with SMTP id 5b1f17b1804b1-488d67f4299mr357889185e9.10.1776318500875; Wed, 15 Apr 2026 22:48:20 -0700 (PDT) From: Manos Pitsidianakis Date: Thu, 16 Apr 2026 08:48:09 +0300 Subject: [PATCH 1/2] virtio-snd: check rx buffer descriptor size MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260416-virtio-fixups-v1-1-ec14e2de0852@linaro.org> References: <20260416-virtio-fixups-v1-0-ec14e2de0852@linaro.org> In-Reply-To: <20260416-virtio-fixups-v1-0-ec14e2de0852@linaro.org> To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , "Michael S. Tsirkin" , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Alex_Benn=C3=A9e?= , qemu-stable@nongnu.org, Manos Pitsidianakis X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1381; i=manos.pitsidianakis@linaro.org; h=from:subject:message-id; bh=e7CNu6bOPefkB4cYwLokIAQo8SEItIOzfhxsnDPZRv4=; b=LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0VCYlFLUy9aQU5Bd0FLQVhjcHgzQi9mZ 25RQWNzbVlnQnA0SGdpNGliQnNkQTBjaGRjb2QxcDNaRm1IYi94CmI4NEt4MDBmVzVyYmJOTm50 OFdKQWpNRUFBRUtBQjBXSVFUTVhCdE9SS0JXODRkd0hSQjNLY2R3ZjM0SjBBVUMKYWVCNElnQUt DUkIzS2Nkd2YzNEowQmdXRC9zR1Q3NG1hbHRFOFBrN29rKy9FWHlGVUVwWnpFYnVjSUxvK1JqOQ o4eGFveEd1V1VJVDVtbm9LeEtaa2plQnhlSVZvMkdCVDdSVXRtQUdGZVZCVGNqbVZ4MWkxTU1Yc 2JUSTVWYTJ3CjBIcTJ4TjJOV3p4WDkxbzRCaE9QbEhPRDdCakllM21ZMytMTTFKc0F6TUZmc0Jx UW1LSXAwaEMrZzJqZjF3VjIKdlVydDhMb28vQmVIK2YzOUhES2ZPbGpnaE1aZUVDakdhNHJSd0t sSmJLdUpZUmxTa2R1QmRKT3dpdXhTYkVKWgpjck1WcUJLdld5SDFsLzFjRncvTnYyMGV1N2pvcV FKdm8zMWZOQWJMZjJpRzdNS2s0MTh2SUgyckJWZ0NCMEh0CldVZVpRMXpTbS9JLytnbG1RT3NRb GpSd0ExNEQ4Y1RSUVduNGlVajBuUTdVN1ZYMjgrMGk2K01SbVB2T0dsNTYKb1dGL0lxYmpDcTFn VTFrb1EwaVRxM1JFQmdYcTZvRXFieUtpZVZVWlh2R0tvdXFVcE82TkEwYlpiS2FKNTFySwptZWY xSW5wcnFPcEJ4ZlFCMkNBWXlXVW92OUVWcmxuMnJnZnV1T0lkOS9LMUgraEllTEtsS2FGTE9ON0 szZXN5CmY2NWxSbkoxTk9GckdrZjNvTE9pS1MzMjFUbW9vWDM5WFN1YUFoWlN6QjdPd0VlT0ZUc nFGOXNnZ3R0UE9ZaFUKZ0s1MGMwV3FVeWd6Tm1VS0tjSWIvaEtGcjFzVGJFZHloUlFJL3ZsY1lv TTQwWlhPYjVXOGlKY21KYUJoMEJLOAp5VXM4dkRITGp3bHRhNmxJNkFRT3lTdENuUmxpRTM3L25 uaHQ5ZHo1eDlsZzJZd1Y3UHQ1dHFBYUxTWVdOTndRCnl0MWh3QT09Cj03Qkp6Ci0tLS0tRU5EIF BHUCBNRVNTQUdFLS0tLS0K X-Developer-Key: i=manos.pitsidianakis@linaro.org; a=openpgp; fpr=7C721DF9DB3CC7182311C0BF68BC211D47B421E1 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::32f; envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wm1-x32f.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1776318540645154100 It must be at least sizeof(virtio_snd_pcm_status). I haven't verified if it's possible to get an underflow, but coverity points it out so add a check. Signed-off-by: Manos Pitsidianakis Reviewed-by: Alex Benn=C3=A9e --- hw/audio/virtio-snd.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index fb5cff386606d03e5cfce88f79e404e510bbcde7..93fbcfb43f7fdcfd5c164b49601= 5da743822f5eb 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -970,12 +970,14 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *v= dev, VirtQueue *vq) } =20 stream =3D vsnd->pcm.streams[stream_id]; - if (stream =3D=3D NULL || stream->info.direction !=3D VIRTIO_SND_D= _INPUT) { + size =3D iov_size(elem->in_sg, elem->in_num); + if (stream =3D=3D NULL + || stream->info.direction !=3D VIRTIO_SND_D_INPUT + || size < sizeof(virtio_snd_pcm_status)) { goto rx_err; } + size -=3D sizeof(virtio_snd_pcm_status); WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { - size =3D iov_size(elem->in_sg, elem->in_num) - - sizeof(virtio_snd_pcm_status); buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; buffer->vq =3D vq; --=20 2.47.3 From nobody Sat May 30 20:11:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1776318535; cv=none; d=zohomail.com; s=zohoarc; b=nSel0/L4aQG/0X00+WMRnlro1BbmAE90zJis1oDWrYlmqoR8RMB2nhtHk82xNMx9l88i3ZI5V22Kjd1ZCZSJc83wZYuvRoV6EURwW6ytUtEZzzgzHr4+oMSghqlZnj4/8l4BrlplAImmIrA+gCyI59o7CwhAinr0WPCzwtKIT2A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776318535; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=F2jYUyzKmM1Ih+knLVuBivXQ4AWzwy4G2sMPSe8xIm8=; b=eAlizq226OnFcLygvOiwxiXbDEwHeqB58XBxIE+Le3oTdX2/UWqQYXSCIi2dLk3cRaBFxcdOeLwedzKHfP26ZHZbW+WmRSh0draZEScUuXx2xY/v45OjhzSzqmpLg+KRk/V97NgQKrzndgce4+KJO81pzYW+nO64JdoCTUl9bpc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1776318534967929.4263107331944; Wed, 15 Apr 2026 22:48:54 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wDFaX-0003U9-F1; Thu, 16 Apr 2026 01:48:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wDFaT-0003Sw-G1 for qemu-devel@nongnu.org; Thu, 16 Apr 2026 01:48:25 -0400 Received: from mail-wm1-x330.google.com ([2a00:1450:4864:20::330]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wDFaR-000177-MB for qemu-devel@nongnu.org; Thu, 16 Apr 2026 01:48:25 -0400 Received: by mail-wm1-x330.google.com with SMTP id 5b1f17b1804b1-488ab2db91aso116479845e9.3 for ; Wed, 15 Apr 2026 22:48:23 -0700 (PDT) Received: from [127.0.1.1] (athedsl-4440559.home.otenet.gr. [79.129.177.223]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-488f5818e51sm39201895e9.5.2026.04.15.22.48.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 22:48:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1776318502; x=1776923302; darn=nongnu.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=F2jYUyzKmM1Ih+knLVuBivXQ4AWzwy4G2sMPSe8xIm8=; b=picWPq9Y6W7sXr/WbLnPVy6Qt3fV1w8v3mUWuWO+hQU4syM3atR8OBS/j6hYKcMPwP NV4asLu99uZyrHUHLV2FX0p4cRCeKXhe17vpDfuXN+a03PK0TVOCyeqBHuHXqYfar9Tb XjOLMKda2MPjvauGvL3jUnT2Aq2aT7Cble54PZONKOAykUtROixt00+TuSyhx4LXo+rQ au36c0nxxHt9SSpOaI4pXECuCHA7pamw3MrlYthSUT03xUd67oDhexiI+BSl3NVXEvRZ kAiyYHrN1bMI5V+h7Z11k4BN4tWxK2sl8UxbFVl2c+CoI1/mIGY659TRqUATVMQ4M6A5 r3fA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776318502; x=1776923302; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=F2jYUyzKmM1Ih+knLVuBivXQ4AWzwy4G2sMPSe8xIm8=; b=flmLaMqW3CfS8OvBniOnAUrz7fNRhrYoxRYPhfhSUVHM/F4+r/7hSOHsBIwOLEJjtQ Kv8Stl0uLJaLxHBM2n8kPrvI+CHOlpID4r0E0wjk0HO0Kg6g8/25aywrq9WEW4FSusiB KdVwdn7ccYu4shEtRjcicq8VcjyCGDZYcqFn4N/vFm9QeuFm6cV5n8aiHFFXUwH7gvWK 73uO/WbyzMY2TIoftZ9UWtvhwCWmBKI4EJfU5zP9hdQUB7w96cfVzA+UoRG+Jc5+mQbE 0byLUz8hX3muZQc2pIHeS/FEmrF3ev059XKsbl7jy5ek23khT1V0IniWd5cu8SUpA96X Jugw== X-Gm-Message-State: AOJu0Yx3ybFiayMPPfTffgwkLKHCa0Tp4wtlspbUeeOeR1jrNbQcQ1fh Vb29xjNsxdJVE2BrJew5F56lgfQY3MimRa7TtUQHxww4eYHDbX+bls5e8Fdexn7O2YA= X-Gm-Gg: AeBDies/OW7oI3Vv8XI8glo1Q1aR5nmpy9XAJ2E5E8sGMkJAIQKPjVj4aU+IRacEIXl eZc23GDfHNMkhKX44hDDyXiVNQfRIekY8LoUbXbHC4+HbR1U7EEiQu4wy626Ib90oy5Hkwic1Dg yEI+cTY+0PYj84E5vKy2xm6OyRb69QQ8sV5nEdoOsILaLHEujMb1id9m/vwi6OODi/wqO0FjlgE RgYu0Q63DVrREbGxBI5pIEhu5JV5NFcRu7IL8XyX+nE0zbsLgLjO+7GQ361CVnHd0zSgjD0swzu K/J0TCnY3CSy8lf02HiKu4XfagFRJYWRiMdNs2PuCJmAUlso20q2Ei71m9LntCjBv5+hc8pgWJj 5NGFFAIFXttDTvBgsEiTBiNXQHFc0gy0ZsimUaQVLL1jkH/k31+vY4AsPNab88+r1xNfQmLhiNl MUrE8ZsI2oeQTsbZbQWhqjWVw1gbKVUOlYxklrcgv6gOwAroCqdza4zSiZPc6cCRq3k5epgZXrD D/yNaEqH8n4tYjQWk3DXe6drexu4xxzRnzcplD9 X-Received: by 2002:a05:600c:c16d:b0:488:be21:54ae with SMTP id 5b1f17b1804b1-488d66504bfmr364443315e9.0.1776318501986; Wed, 15 Apr 2026 22:48:21 -0700 (PDT) From: Manos Pitsidianakis Date: Thu, 16 Apr 2026 08:48:10 +0300 Subject: [PATCH 2/2] virtio-snd: check for overflow before g_malloc0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260416-virtio-fixups-v1-2-ec14e2de0852@linaro.org> References: <20260416-virtio-fixups-v1-0-ec14e2de0852@linaro.org> In-Reply-To: <20260416-virtio-fixups-v1-0-ec14e2de0852@linaro.org> To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , "Michael S. Tsirkin" , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Alex_Benn=C3=A9e?= , qemu-stable@nongnu.org, Manos Pitsidianakis X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2754; i=manos.pitsidianakis@linaro.org; h=from:subject:message-id; bh=xDZS3tY6bYSiiCPsg7erlUolIXhnU1SspuDcZfqcF18=; b=LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0VCYlFLUy9aQU5Bd0FLQVhjcHgzQi9mZ 25RQWNzbVlnQnA0SGdpbnlVMURieUVaUC96MUJNL0xsamhLZ25ECjUyNHdIc0NESkFhL2ppNWVn d3VKQWpNRUFBRUtBQjBXSVFUTVhCdE9SS0JXODRkd0hSQjNLY2R3ZjM0SjBBVUMKYWVCNElnQUt DUkIzS2Nkd2YzNEowTVZ4RC85dEd5YlUxVUVSaE5BNWJ2UGJaVEJxYS9tcWM5L3BxVGJDY1REKw prQ2xaTFc4VzRvbmU5Nm51K1JzY1Zlc3lTUXFqZTcvVk0xeFkrN2lrUFBwcHhyOHkzeFg0S0JaY 0I5c3ZhRzJYCnAzZ0l6SWwvU1NtazRFeDRZYjdCSlFHOUpLOGhvVmN3MDk2cWtmL2xqQ3J5VHBn Smh2Q1plSWtnMWxmRjdKUnEKWmVYT3V6SUlLNCtHRFl6Q0FvenoyYXhSeEsvcFg1L2JMMk9KYnM 0VWtQajBXb0xHeFNySnRuYjM1WEJTS3U2ZgpLWGUvNFZ5YzAzZGhWOUxuRFJBeElIOFpQREwwek FIbHdZYzc2WkxRUk4relNMTFJaYVR0UDFGOWMvZlFiQVcrCnhLRjhOcVZ2bXF5azh0elIrckxJd WRISTNoa0dXWi96S2Z6d2lMRVFOUkdlcDJWeUtXS2tBdld2Ymc0YWhsNGwKa1J5dFdvRzVUUkQx a1IxUk5KUVpIcm9HSDZZaVdiaVhpRExzMzg1d29HVGJnZk5SSUx1V29lcWNLNmczYURxbApnMG5 TcXg1UzUzZjVwdTZLMWJKUkJHa1hqNW9FVldNd1Y5Q3pBT2lRUGxZWXRrRTFDSWY3Wng5VUlMam kwOHV3Cm00SkY2ZUUrMXpxckN1bzV5SFJsb0hHMm5KWDJSc3ZDT281Q05iZWEyQ1dkM3VnN2xyd 0c4dkdBajhYY21rVVEKa3hrNHI2S2t0azVGK3NKRkpYcElSTnQwV3ZKaEJicC8rdWJ2Y2FheGFi S3FldVhoU3llYi9jK3kzVkc3b3czNAovdVdqb2JqamVycTlrNlZ0M1FHdm5iV0VYbjkwV3psOFJ aUXppRzdGTGtuaU1EaTRlbzhsOWNTelB0endieCtJCmV0UjFZdz09Cj05cDcxCi0tLS0tRU5EIF BHUCBNRVNTQUdFLS0tLS0K X-Developer-Key: i=manos.pitsidianakis@linaro.org; a=openpgp; fpr=7C721DF9DB3CC7182311C0BF68BC211D47B421E1 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::330; envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wm1-x330.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1776318535614158500 Coverity points out one g_malloc0 overflow, but it seems to be a false positive. Add a check to it regardless to fortify the code, and also add checks for every other g_malloc0 use. Signed-off-by: Manos Pitsidianakis --- hw/audio/virtio-snd.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 93fbcfb43f7fdcfd5c164b496015da743822f5eb..a294d267b097249d0171722a5ec= 131159a5e7027 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -850,7 +850,7 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vde= v, VirtQueue *vq) VirtIOSound *vsnd =3D VIRTIO_SND(vdev); VirtIOSoundPCMBuffer *buffer; VirtQueueElement *elem; - size_t msg_sz, size; + size_t msg_sz, size, tmp; virtio_snd_pcm_xfer hdr; uint32_t stream_id; /* @@ -880,6 +880,8 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vde= v, VirtQueue *vq) if (msg_sz !=3D sizeof(virtio_snd_pcm_xfer)) { goto tx_err; } + assert(iov_size(elem->out_sg, elem->out_num) >=3D msg_sz); + size =3D iov_size(elem->out_sg, elem->out_num) - msg_sz; stream_id =3D le32_to_cpu(hdr.stream_id); =20 if (stream_id >=3D vsnd->snd_conf.streams @@ -892,9 +894,11 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vd= ev, VirtQueue *vq) goto tx_err; } =20 + /* Check for g_malloc0 overflow. */ + if (!g_uint_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size))= { + goto tx_err; + } WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { - size =3D iov_size(elem->out_sg, elem->out_num) - msg_sz; - buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; buffer->populated =3D false; @@ -932,7 +936,7 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vde= v, VirtQueue *vq) VirtIOSound *vsnd =3D VIRTIO_SND(vdev); VirtIOSoundPCMBuffer *buffer; VirtQueueElement *elem; - size_t msg_sz, size; + size_t msg_sz, size, tmp; virtio_snd_pcm_xfer hdr; uint32_t stream_id; /* @@ -977,6 +981,10 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vd= ev, VirtQueue *vq) goto rx_err; } size -=3D sizeof(virtio_snd_pcm_status); + /* Check for g_malloc0 overflow. */ + if (!g_uint_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size))= { + goto rx_err; + } WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; --=20 2.47.3