From: Volker Rümelin <vr_qemu@t-online.de>
Commit 9b6083465f ("virtio-snd: check for invalid param shift
operands") tries to prevent invalid parameters specified by the
guest. However, the code is not correct.
Change the code so that the parameters format and rate, which are
a bit numbers, are compared with the bit size of the data type.
Fixes: 9b6083465f ("virtio-snd: check for invalid param shift operands")
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Message-Id: <20240802071805.7123-1-vr_qemu@t-online.de>
Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
---
hw/audio/virtio-snd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index e5196aa4bb..d1cf5eb445 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -282,12 +282,12 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
error_report("Number of channels is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
}
- if (BIT(params->format) > sizeof(supported_formats) ||
+ if (params->format >= sizeof(supported_formats) * BITS_PER_BYTE ||
!(supported_formats & BIT(params->format))) {
error_report("Stream format is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
}
- if (BIT(params->rate) > sizeof(supported_rates) ||
+ if (params->rate >= sizeof(supported_rates) * BITS_PER_BYTE ||
!(supported_rates & BIT(params->rate))) {
error_report("Stream rate is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
--
MST
Cc: qemu-stable@nongnu.org
Without this patch, the virtio-sound device will not work in the next
QEMU stable-8.2 and stable-9.0 versions.
With best regards,
Volker
> From: Volker Rümelin <vr_qemu@t-online.de>
>
> Commit 9b6083465f ("virtio-snd: check for invalid param shift
> operands") tries to prevent invalid parameters specified by the
> guest. However, the code is not correct.
>
> Change the code so that the parameters format and rate, which are
> a bit numbers, are compared with the bit size of the data type.
>
> Fixes: 9b6083465f ("virtio-snd: check for invalid param shift operands")
> Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
> Message-Id: <20240802071805.7123-1-vr_qemu@t-online.de>
> Reviewed-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
> Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> hw/audio/virtio-snd.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
> index e5196aa4bb..d1cf5eb445 100644
> --- a/hw/audio/virtio-snd.c
> +++ b/hw/audio/virtio-snd.c
> @@ -282,12 +282,12 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
> error_report("Number of channels is not supported.");
> return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
> }
> - if (BIT(params->format) > sizeof(supported_formats) ||
> + if (params->format >= sizeof(supported_formats) * BITS_PER_BYTE ||
> !(supported_formats & BIT(params->format))) {
> error_report("Stream format is not supported.");
> return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
> }
> - if (BIT(params->rate) > sizeof(supported_rates) ||
> + if (params->rate >= sizeof(supported_rates) * BITS_PER_BYTE ||
> !(supported_rates & BIT(params->rate))) {
> error_report("Stream rate is not supported.");
> return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
© 2016 - 2024 Red Hat, Inc.