libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425)

[PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425)

Stefano Garzarella posted 2 patches 1 month, 1 week ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20260417132645.121192-1-sgarzare@redhat.com

Maintainers: Xie Yongji <xieyongji@bytedance.com>, "Michael S. Tsirkin" <mst@redhat.com>, Stefano Garzarella <sgarzare@redhat.com>

subprojects/libvduse/libvduse.c           | 7 ++++---
subprojects/libvhost-user/libvhost-user.c | 7 ++++---
2 files changed, 8 insertions(+), 6 deletions(-)

Expand all Fold all

[PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425)

Posted by Stefano Garzarella 1 month, 1 week ago

A guest-triggerable buffer overflow was reported in libvhost-user.
When an indirect descriptor table crosses a memory region boundary,
virtqueue_read_indirect_desc() falls back to a chunked copy, but
the destination pointer is a struct vring_desc pointer advanced by
a byte count, so it overflows the buffer.

libvduse has vduse_queue_read_indirect_desc() which was inspired by
the libvhost-user counterpart, so it has the same issue.

Stefano Garzarella (2):
  libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
  libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()

 subprojects/libvduse/libvduse.c           | 7 ++++---
 subprojects/libvhost-user/libvhost-user.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

-- 
2.53.0