[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.7 09/53] virtio-snd: add max size bounds check in input cb
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.7 09/53] virtio-snd: add max size bounds check in input cb |
Date: |
Fri, 6 Sep 2024 09:53:39 +0300 |
From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left like in TX buffers.
This triggers an out of bounds write if the size of the virtio queue
element is equal to virtio_snd_pcm_status, which makes the available
space for audio data zero. This commit adds a check for reaching the
maximum buffer size before attempting any writes.
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2427
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 092ba2302b..4d15fe0e31 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1261,7 +1261,7 @@ static void virtio_snd_pcm_in_cb(void *data, int
available)
{
VirtIOSoundPCMStream *stream = data;
VirtIOSoundPCMBuffer *buffer;
- size_t size;
+ size_t size, max_size;
WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
while (!QSIMPLEQ_EMPTY(&stream->queue)) {
@@ -1275,7 +1275,12 @@ static void virtio_snd_pcm_in_cb(void *data, int
available)
continue;
}
+ max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num);
for (;;) {
+ if (buffer->size >= max_size) {
+ return_rx_buffer(stream, buffer);
+ break;
+ }
size = AUD_read(stream->voice.in,
buffer->data + buffer->size,
MIN(available, (stream->params.period_bytes -
--
2.39.2
- [Stable-8.2.7 00/53] Patch Round-up for stable 8.2.7, freeze on 2024-09-16, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 01/53] qapi/qom: Document feature unstable of @x-vfio-user-server, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 02/53] target/arm: Fix handling of LDAPR/STLR with negative offset, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 03/53] target/arm: LDAPR should honour SCTLR_ELx.nAA, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 04/53] target/arm: Use float_status copy in sme_fmopa_s, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 05/53] target/arm: Use FPST_F16 for SME FMOPA (widening), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 07/53] hw/nvme: fix memory leak in nvme_dsm, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 08/53] hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 06/53] hvf: arm: Do not advance PC when raising an exception, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 09/53] virtio-snd: add max size bounds check in input cb,
Michael Tokarev <=
- [Stable-8.2.7 10/53] virtio-snd: check for invalid param shift operands, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 11/53] intel_iommu: fix FRCD construction macro, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 14/53] hw/intc/loongson_ipi: Access memory in little endian, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 15/53] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params(), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 12/53] target/i386: do not crash if microvm guest uses SGX CPUID leaves, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 13/53] chardev/char-win-stdio.c: restore old console mode, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 17/53] target/rx: Use target_ulong for address in LI, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 16/53] hw/virtio: Fix the de-initialization of vhost-user devices, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 18/53] hw/char/bcm2835_aux: Fix assert when receive FIFO fills up, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 19/53] hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE, Michael Tokarev, 2024/09/06