From nobody Sat May 30 20:11:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1776402644; cv=none; d=zohomail.com; s=zohoarc; b=QNLDn1z7in8FmepJs3bchE++lLFZvOewYqxWwdm4uUMB+kmD8JXYY6U9Bz6Tg0RjXG+4hyjtOdKkDQ+e74nca23BeZpLKAB9l/xfTdjo8RipJ1WKFit3iHY0H+KauyD2TUlyY9t1Y7XwHFW4rogsY8ULAwiTJnjPAblsnTNPp0c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776402644; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=EyCrG344pj4Z192Pl7Enk5SuwNWxaw5OLLXkcDZQemsFWFl+98C0BOL3gt+MVUoqVN/kouif0n4ftjA/k160TxDA5x544NjcMBU1wqYuqV2oqjvrJknCX1HSMK4A4YXvSl0Lai5RWf5MxwkFYjfJk/kkf0QHA5rT2BPzvxX+2fY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17764026444423.969807193197539; Thu, 16 Apr 2026 22:10:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wDbTI-0006rk-Vj; Fri, 17 Apr 2026 01:10:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wDbTB-0006qO-Vm for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:22 -0400 Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wDbT8-0002Ns-UN for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:21 -0400 Received: by mail-wr1-x42e.google.com with SMTP id ffacd0b85a97d-43d03db7f87so124835f8f.3 for ; Thu, 16 Apr 2026 22:10:18 -0700 (PDT) Received: from [127.0.1.1] (athedsl-4440559.home.otenet.gr. [79.129.177.223]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e3a18csm1749524f8f.20.2026.04.16.22.10.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 22:10:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1776402617; x=1777007417; darn=nongnu.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=zjxpQP54fyG+fqLFMc8ZEnjy4smYssAeAcXQBFnj/JAoF3lFA1FtT5okDkqGEvnozC XZFC5wzJc+hiFLo7khPEO33wJ0gQ1ZIfpY9HTJQUpFoJgTcYa3a4n2rBKnb3SDex5FYV o4WfAz+s7yBIUKeJ/k+DJAUaQSKn0mGjsjQcVFKSXphcHtJqsWjbRSGfqpoeI448Die2 dhu7qU7jB5nc4n4/qnmFpN0W9jPzy6t7kNR8CU1iBUsp9qB0ALR42CDMADCcl7eEQeAA vCgx9lVdWQzRSSSBiB7I9Sl3P9gDCCIxih+YcvmafJ5MOSWhfNIJso5eeXN38Ubu+aat Hluw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776402617; x=1777007417; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=30dDtFtVzrZ0rFH7FQtblfDTpXIqR78+UUjDSh4LLvs=; b=GMx6ULIw7AvLv0pb8Vskj/zpkOhY6PZUW9PVVItTjKcyfPkbzS8XaAjfTDWTKFiE0U WdpkP6ZczOeWtH3XDfUv6uHoE/UvfRJW4GXjP7RrFrfqwKoC2W71AEL4Qkqm+ooFdKDa YdmnEtbQdUTypzXSNg5Uuadb+DnAXmiNQe3C6ODcOvoX6Zlmsdwk4IqyBv8u62YimXdm rnrrO2jeqOFpSMqQzttJo1IsPSFfJogat7dBRuDbYKjIJaYWNp1Qy6No28W44HebbXrC p4ixHz0lHqHlGaHi9igRM7FNdQR6q6K3Laai7jySIvXkxux8xEdQlHWrO+AMu87x4Jxl CUfg== X-Gm-Message-State: AOJu0Yx+Zp3pm6geUF+56PT6oyk08Hs7asTRURr9EJdhEl53ECbIcX3W 5lk2ugQ5TE2Hr6nSDhRNZB9ivwHwUtylYJxM7hjAVRxS91qTmhOB0yy1mMfQQ11WdDH7/6W4Xuc P9xZEFcQ= X-Gm-Gg: AeBDieuEWS2Z1ZYFFp8JBzRrrMcs6Yyn0gpYH6L+tGB+q1uBrbPJ1C43p6wfl/zyE6h FjQVcoDGn8IJmJ5mgqWg2Gwk7jZyTRw6GSfs6tvlizn9jw8pK2rUeHRAh2K632E0+KzZV1YbKSx S8tClGmomMsYfX3EIwgpGctnTLfbCMTViuG3A95thVgO7c/wxdpq1dQps7VRbDhcPAx5PYq0vdG 6VLA7BammuIltwFhGVwSmSnQbacEEObkIPdqRov2xL0aN2D1iQDNdnRCECkW9p2S8SqjFsw8dru rtDUXDNVoS4RUOgcB0U1Ui+qoNeYWnj+pky40wAOIXO4Tuy+6djefIAkUjidfKQxCSobQltWYUZ EZF83nV7y/ZryGKgPVw9L6bMNrqs2XEnFU+e/Ra8ZgLnrnDuWf/KCd+cixWfwUY6biEZQa70sa9 T8gAq6a2sn3acJB+YnSU3k0QOy9lgMSQgIT2nVT0zdwqDlzr9kdV0BUjrqxZNEWILeCEtJNYS1+ 8KMgj7X7pRLjUhG8nSLqzlCngDtcUvLa72jGYV8Mjp0V9tDS+E= X-Received: by 2002:a05:6000:24c8:b0:43d:70b3:7edf with SMTP id ffacd0b85a97d-43fe3dc5386mr1776620f8f.12.1776402616764; Thu, 16 Apr 2026 22:10:16 -0700 (PDT) From: Manos Pitsidianakis Date: Fri, 17 Apr 2026 08:10:09 +0300 Subject: [PATCH v2 1/2] virtio-snd: check rx buffer descriptor size MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260417-virtio-fixups-v2-1-4a0d8636a628@linaro.org> References: <20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org> In-Reply-To: <20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org> To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , "Michael S. Tsirkin" , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Alex_Benn=C3=A9e?= , Richard Henderson , qemu-stable@nongnu.org, Manos Pitsidianakis X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=1381; i=manos.pitsidianakis@linaro.org; h=from:subject:message-id; bh=e7CNu6bOPefkB4cYwLokIAQo8SEItIOzfhxsnDPZRv4=; b=LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0VCYlFLUy9aQU5Bd0FLQVhjcHgzQi9mZ 25RQWNzbVlnQnA0Y0MyUWpGM2pKNTNSNmdueVNhdnZXSTNhVzU0CkVpODhiRXo4Vi9VNnN6eVQ1 NnFKQWpNRUFBRUtBQjBXSVFUTVhCdE9SS0JXODRkd0hSQjNLY2R3ZjM0SjBBVUMKYWVIQXRnQUt DUkIzS2Nkd2YzNEowQnh0RC85WFBuZVdQVEtKOGRPTUduRTlsNEFLWUllUTFVS2xYOHJxNDJxWQ pTKzVaaUFFNUgxNnJtZTUzT0tMc0NqMnhRRFB2R2VwY1FGSXBJazhZYXF4SmI2c043YTJmRFQrS VdHNXIzUEVUCmUrVUQ3QXExUmxQSWl6Q1cwbVZBaXF1QVB3SUthSmNSU2E1cVNTY0ZPRk9sb2Q4 QTE4Z1dHb2hlckR2QjVuUzYKYmh4eXRWcjZ2eWFzTC8yUjVsK0Qzbjl6YUFOcU85NjdLcG5oOWh wNnlNU0NXVUJ4QU1TM2Y4WFM2T3FKQTZQRQpDazlFeFZjYnczV3dscW8wU2U0d3pWRFEyd3JkOW JEczRxM3h3cFJZRTE1dmdmcFZIUFZjc0x6VzVJU3gzbTU0CkR1SS9jZjBoQVZSNi9Dd1h3WUNTL 051MGE5R09oNFN2djFLeVdFNTQ2eVlSZHVvZnJ6Wms5WVJxM3pFSHhjNkcKTVVpd3psanZEdlN1 NjhoVmUxNko2S0lJaG53bEpjZkI5NW56RlR3THYrQVp5TjJScE9KNGU5aFNYL0NCdzl5bApjM3p xa0w5VEJ2SC94SDIvUkFweG5rNHR1Q3MxeVVxS2dFV290cmdjRzZVUUlBS05NcmVnT0RJR3ZIMX RZZTFSCjBBSUtIWi9VZ0oyQUFNNzNoeWFxRGFoeXdxKzJFOE4yTWMvUHFwZjJVUnB1OVNWV2dLN 2ZuYXJHN2l1NytYdFoKT3lpZkJGQ09zY0RHVmpmalozS2cyZkM2U1RySHZEekQ1c2NvOHBBQzlD bWFZRDZmeXFGamk0Y0pGYkJCa0tqdApyVjlaL2tiUzcxRVNzWEF6V2pXQlNnSFJrS2JsMnl3Nm9 6WHlQNFdFU1JpMWl6d1U4b2xFMTZyKzJrSjBMQXlpCml6VkF3UT09Cj1yNkVaCi0tLS0tRU5EIF BHUCBNRVNTQUdFLS0tLS0K X-Developer-Key: i=manos.pitsidianakis@linaro.org; a=openpgp; fpr=7C721DF9DB3CC7182311C0BF68BC211D47B421E1 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::42e; envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wr1-x42e.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1776402647163154100 It must be at least sizeof(virtio_snd_pcm_status). I haven't verified if it's possible to get an underflow, but coverity points it out so add a check. Signed-off-by: Manos Pitsidianakis --- hw/audio/virtio-snd.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index fb5cff386606d03e5cfce88f79e404e510bbcde7..93fbcfb43f7fdcfd5c164b49601= 5da743822f5eb 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -970,12 +970,14 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *v= dev, VirtQueue *vq) } =20 stream =3D vsnd->pcm.streams[stream_id]; - if (stream =3D=3D NULL || stream->info.direction !=3D VIRTIO_SND_D= _INPUT) { + size =3D iov_size(elem->in_sg, elem->in_num); + if (stream =3D=3D NULL + || stream->info.direction !=3D VIRTIO_SND_D_INPUT + || size < sizeof(virtio_snd_pcm_status)) { goto rx_err; } + size -=3D sizeof(virtio_snd_pcm_status); WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { - size =3D iov_size(elem->in_sg, elem->in_num) - - sizeof(virtio_snd_pcm_status); buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; buffer->vq =3D vq; --=20 2.47.3 From nobody Sat May 30 20:11:55 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=linaro.org ARC-Seal: i=1; a=rsa-sha256; t=1776402696; cv=none; d=zohomail.com; s=zohoarc; b=NL7qx7Kpc5Cmez0gAj2ydkDaTH0D+YzPTcDbp/3q686bqwv2rAbaTjV/+xu0crVWauPgFRs4+ODk5g5/gdJuIV4sOxYQ6jxC5XOXTrKbBJWkb3EHlwijPMkOs1tFFlvxltsvBKvrPA5473qNLEU0O5xfhBMwxtf6ec2VMI7CQOM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1776402696; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MO94xCcoU6UDdF1hpEURZaIY79fEZkBmJ9yGiyO6ciM=; b=PGPcZAHznpUf5eQA0aTnurFv7ylY6/gadiQFbhJst5UT14/2mchdJr+Ns8D4YlUJ1Gtnza53sBG6bsGEYau4MJB7cYu2kTqudhmqMzdkYrBjQR7UWJ5AtPIpIu4V31/Mk6bItNL8ay/khZYWkeIFA81Ud3RmpZFp+ePabAHigUo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1776402695892746.5044503007578; Thu, 16 Apr 2026 22:11:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wDbTH-0006rf-0e; Fri, 17 Apr 2026 01:10:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wDbTE-0006qe-77 for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:24 -0400 Received: from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1wDbTB-0002O0-BX for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:22 -0400 Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-43cfbd17589so162046f8f.0 for ; Thu, 16 Apr 2026 22:10:19 -0700 (PDT) Received: from [127.0.1.1] (athedsl-4440559.home.otenet.gr. [79.129.177.223]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43fe4e3a18csm1749524f8f.20.2026.04.16.22.10.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 22:10:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1776402618; x=1777007418; darn=nongnu.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=MO94xCcoU6UDdF1hpEURZaIY79fEZkBmJ9yGiyO6ciM=; b=zQgFPCtWQiiRRbUxfInQ6E3PsqEjv7L6smopFhJN1oMgLXm062fbK2GUoiNMX5+aBG 32BDrDxyt4x+IsSGIsnPZu0qx/Z42zRyA4CXT70PMVNkjEg6ZkcWoFVALR3uuK5vMk6S xPjvHDZ1UR4orNhpFiz9daesFlAdZE1pCNlfz0UjgwK060DfEQFQ76xu/Mo/g8FJS0N6 zfv048eusQrLoreEYUXZbvL06tn3Y/yG7x2NaMr8u7qWR4hD/tv5BiMufXiy2s9Mgvfr OcwvoHCRR6fP8hW/q4ohs2gM+nk+APNLfC355oHGLBJsyl5LPUjfxR2u97sZQDl9ymvW 4H5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776402618; x=1777007418; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=MO94xCcoU6UDdF1hpEURZaIY79fEZkBmJ9yGiyO6ciM=; b=QUa9KkF4/3DgfCCMdB16CxpSLwIKQ6zBCbGl6LffJnUjS4Sw6kzex7gRqofOs60d2i 0Hf4Q52fC0nUyOMCbVfKohnA1Nb3EEYNZFBWquNQnuDIJ9bZrqeq32/0smVxh8oETi6+ zYsdRnMzRACG05h0ncP8Y+YHHWNOyQMG3rgSd4eLbP59nphJA6lVQokU2smZZxPd7zoQ dL7YEHcs+nKXWMFyrHND8DTEOGR2MxWoaAPPIBFxqHSOJOF1nCLM0eBTYTetmbWW/oWA mLgh15tI7Gwwd2+y4jJrKnDsTajMz1yksznekEyHiF8DsnCMjKS27IsMx2LS1Gikp5i5 DosA== X-Gm-Message-State: AOJu0YzClkvT135vPMBkkHkvsL8gB88H8INyjNMKHyyyA9PzE5qEu8fZ JRIHN+KX9aCZ84j8HXdmz5g/gur0VXvjyBOsBPaq1D6rZmz8HffhV/r0gAIT+0AW1xCWNAVirGo oh0mdG4g= X-Gm-Gg: AeBDievETTI27Jv7MtlaP8fuAqu4jMtCcp9dkBBSTGY2DZS0XiIqTSlzMBolD34jzYP IOAuSuenaTieUgTF9OSjco3Vx+pFbooFfWiLJpZK5iGufhVjMkEiEp4J34JBEEHpgZM3cjgOGaD 5/Vx7Do31qRnJQ8AjU8mBXEKYUGlHy8bBb+KnfY7w7WaOMKN6DjAbfNcdMUqoHDl3zC3SZeFNOr 8tHVR1DqcRIKS0dmATjSX13kDxRJQ6FHKtlT6Rn7OwGGyCrDx8NRl2nv3cSOhikT2pMLQmAfZug 95xqrAlw2sVaQPj7808JOi5IYFqAVdA1q2/idx+GzEmEdgaAOBOrW7SJSpjxWN7k1iPUvmfvlUg gqbd+1W7nn2QNpMRH95FiNRxhkRSui7qZiLdShys/SVyLAvM9a5REkRdaSNb6R3dojnmNHOYCEI 6gGHJF5Du7N0LM2suKDeiZJd/7L10boqVLpkKLU9h9L3eFCZ0NcOP0fJEgw5EVtk+qvZKqpYpct eoDzgFuZEwEh9HgDc/t6xR7IvX6FAUDvoETLIuMecU71gy7c+yW9s4EKDHXgw== X-Received: by 2002:adf:fcc9:0:b0:43f:e4f1:bd9b with SMTP id ffacd0b85a97d-43fe4f1bdf7mr467208f8f.30.1776402617728; Thu, 16 Apr 2026 22:10:17 -0700 (PDT) From: Manos Pitsidianakis Date: Fri, 17 Apr 2026 08:10:10 +0300 Subject: [PATCH v2 2/2] virtio-snd: check for overflow before g_malloc0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260417-virtio-fixups-v2-2-4a0d8636a628@linaro.org> References: <20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org> In-Reply-To: <20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org> To: qemu-devel@nongnu.org Cc: Gerd Hoffmann , "Michael S. Tsirkin" , =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Alex_Benn=C3=A9e?= , Richard Henderson , qemu-stable@nongnu.org, Manos Pitsidianakis X-Mailer: b4 0.14.2 X-Developer-Signature: v=1; a=openpgp-sha256; l=2754; i=manos.pitsidianakis@linaro.org; h=from:subject:message-id; bh=Bq62Ohx1DaKj6RUXlcem2LCLdDkwbtcNdp7LNhLzatg=; b=LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0VCYlFLUy9aQU5Bd0FLQVhjcHgzQi9mZ 25RQWNzbVlnQnA0Y0MyRWNoUE1oRWVSZ1hZTGg3UndTMHJlS0xaClc3U1hFWG0vbVNrSUJTM3dZ VWFKQWpNRUFBRUtBQjBXSVFUTVhCdE9SS0JXODRkd0hSQjNLY2R3ZjM0SjBBVUMKYWVIQXRnQUt DUkIzS2Nkd2YzNEowTGNrRUFDTEt1THlOdnZ3YXVtUEhUWnB4MWk3MHRHTGovRUxzL3RuSnJZZg pKTHhJcXhpbWZFWW14VDc0Ujd0YUhMdDhWb2c4dmxVT0hicWVpYUswN2U2TTJQdlorZlY3bjhXd Vphb3JERzQvClNxZnNzSzdkdUNQVmRGbm5YNzJMWVdWYkVOQTk3a2dWdG9NV01yWkdHV3AxZUhQ Z2dzV1JrRFlSMVhBWGhLUnUKUktYcmZnM0hGbG9EbnZPOTZkdVI1aEVtTjUxQWFzUVpqcjY5SEN OWGdQV0N2blI0TlB6a0Q3SXQ5blU5MmdOSApkajlHK0FZcXI2UHdUTGMvUjUrN1UwTHQrMWhxOU JwKzVSOTc0OFBoNC9mWXNJMkdkQm1hdGNvb2hwNHZELzMrCjhBTVBZaG5DMXBCd00yY3JrOVhGM 2lvQzUvS3h4T3YxOXlUS0orY29xZk9iL0lMcHlIREpCQlBtSE4vWkpTUXUKSm4wSU11aUdDdENu dDNGaDhQMTkrNzNkYlVnVmFOYkVSTlZ3N1YwdnJ1Vm9MMmlJL3R2VzVTOVlCS1BBbmRBWQpsTEh aUFl0ZldDT1lqMGdUV0dzQVFwK0l6QzNQMTRDL3lLNTlVeUdTeHhIN1RrUHhEVFdwWXozWEdyc1 Y0OGprCnNqYWI0R1IvOExtdnpXR1JZdFJOVmFUMDMrNjZWWEpSbXlPTUVDQVJBcGFOclZ6WHlOR ERtL3lHUk5sY1J3L1IKTEV3V3dITFdIbTZPOHkyelp1alA5aVFsM3VsdnFLZEx2MHdjbTBZeTAv SDB1NGxpbXM4cjBibDByVlJvUWtWcwpROUJOYzRkaElMUmRyemZYRW5JOWFvOU1SS0JJNEswVGx xSnNYaWNvTE9SbjlnZE5qeXIxbUJHUUpPc1dteUZWCmJRVUhSdz09Cj02YWl2Ci0tLS0tRU5EIF BHUCBNRVNTQUdFLS0tLS0K X-Developer-Key: i=manos.pitsidianakis@linaro.org; a=openpgp; fpr=7C721DF9DB3CC7182311C0BF68BC211D47B421E1 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=2a00:1450:4864:20::42c; envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wr1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @linaro.org) X-ZM-MESSAGEID: 1776402702072158500 Coverity points out one g_malloc0 overflow, but it seems to be a false positive. Add a check to it regardless to fortify the code, and also add checks for every other g_malloc0 use. Signed-off-by: Manos Pitsidianakis --- hw/audio/virtio-snd.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c index 93fbcfb43f7fdcfd5c164b496015da743822f5eb..694bcebb60f6c866346470672cc= 798b3271ae34f 100644 --- a/hw/audio/virtio-snd.c +++ b/hw/audio/virtio-snd.c @@ -850,7 +850,7 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vde= v, VirtQueue *vq) VirtIOSound *vsnd =3D VIRTIO_SND(vdev); VirtIOSoundPCMBuffer *buffer; VirtQueueElement *elem; - size_t msg_sz, size; + size_t msg_sz, size, tmp; virtio_snd_pcm_xfer hdr; uint32_t stream_id; /* @@ -880,6 +880,8 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vde= v, VirtQueue *vq) if (msg_sz !=3D sizeof(virtio_snd_pcm_xfer)) { goto tx_err; } + assert(iov_size(elem->out_sg, elem->out_num) >=3D msg_sz); + size =3D iov_size(elem->out_sg, elem->out_num) - msg_sz; stream_id =3D le32_to_cpu(hdr.stream_id); =20 if (stream_id >=3D vsnd->snd_conf.streams @@ -892,9 +894,11 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vd= ev, VirtQueue *vq) goto tx_err; } =20 + /* Check for g_malloc0 overflow. */ + if (!g_size_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size))= { + goto tx_err; + } WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { - size =3D iov_size(elem->out_sg, elem->out_num) - msg_sz; - buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; buffer->populated =3D false; @@ -932,7 +936,7 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vde= v, VirtQueue *vq) VirtIOSound *vsnd =3D VIRTIO_SND(vdev); VirtIOSoundPCMBuffer *buffer; VirtQueueElement *elem; - size_t msg_sz, size; + size_t msg_sz, size, tmp; virtio_snd_pcm_xfer hdr; uint32_t stream_id; /* @@ -977,6 +981,10 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vd= ev, VirtQueue *vq) goto rx_err; } size -=3D sizeof(virtio_snd_pcm_status); + /* Check for g_malloc0 overflow. */ + if (!g_size_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size))= { + goto rx_err; + } WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) { buffer =3D g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size); buffer->elem =3D elem; --=20 2.47.3