[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb
From: |
Michael Tokarev |
Subject: |
[Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb |
Date: |
Fri, 6 Sep 2024 14:12:20 +0300 |
From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left like in TX buffers.
This triggers an out of bounds write if the size of the virtio queue
element is equal to virtio_snd_pcm_status, which makes the available
space for audio data zero. This commit adds a check for reaching the
maximum buffer size before attempting any writes.
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 4a56c00ec9..541f0797ac 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1261,7 +1261,7 @@ static void virtio_snd_pcm_in_cb(void *data, int
available)
{
VirtIOSoundPCMStream *stream = data;
VirtIOSoundPCMBuffer *buffer;
- size_t size;
+ size_t size, max_size;
WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
while (!QSIMPLEQ_EMPTY(&stream->queue)) {
@@ -1275,7 +1275,12 @@ static void virtio_snd_pcm_in_cb(void *data, int
available)
continue;
}
+ max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num);
for (;;) {
+ if (buffer->size >= max_size) {
+ return_rx_buffer(stream, buffer);
+ break;
+ }
size = AUD_read(stream->voice.in,
buffer->data + buffer->size,
MIN(available, (stream->params.period_bytes -
--
2.39.2
- [Stable-9.0.3 01/69] hw/scsi/lsi53c895a: bump instruction limit in scripts processing to fix regression, (continued)
- [Stable-9.0.3 01/69] hw/scsi/lsi53c895a: bump instruction limit in scripts processing to fix regression, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 03/69] qapi/qom: Document feature unstable of @x-vfio-user-server, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 04/69] target/arm: Fix handling of LDAPR/STLR with negative offset, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 05/69] target/arm: LDAPR should honour SCTLR_ELx.nAA, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 02/69] scsi: fix regression and honor bootindex again for legacy drives, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 07/69] target/arm: Use FPST_F16 for SME FMOPA (widening), Michael Tokarev, 2024/09/06
- [Stable-9.0.3 09/69] hw/nvme: fix memory leak in nvme_dsm, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 06/69] target/arm: Use float_status copy in sme_fmopa_s, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 08/69] hvf: arm: Do not advance PC when raising an exception, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 10/69] hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb,
Michael Tokarev <=
- [Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 13/69] intel_iommu: fix FRCD construction macro, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 14/69] target/i386: do not crash if microvm guest uses SGX CPUID leaves, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 15/69] chardev/char-win-stdio.c: restore old console mode, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 16/69] hw/intc/loongson_ipi: Access memory in little endian, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 17/69] hw/intc/loongson_ipi: Fix resource leak, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 18/69] target/loongarch: Fix helper_lddir() a CID INTEGER_OVERFLOW issue, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 19/69] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params(), Michael Tokarev, 2024/09/06
- [Stable-9.0.3 21/69] hw/virtio: Fix the de-initialization of vhost-user devices, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 22/69] target/rx: Use target_ulong for address in LI, Michael Tokarev, 2024/09/06