[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Stable-8.2.7 10/53] virtio-snd: check for invalid param shift operands
From: |
Michael Tokarev |
Subject: |
[Stable-8.2.7 10/53] virtio-snd: check for invalid param shift operands |
Date: |
Fri, 6 Sep 2024 09:53:40 +0300 |
From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
When setting the parameters of a PCM stream, we compute the bit flag
with the format and rate values as shift operand to check if they are
set in supported_formats and supported_rates.
If the guest provides a format/rate value which when shifting 1 results
in a value bigger than the number of bits in
supported_formats/supported_rates, we must report an error.
Previously, this ended up triggering the not reached assertions later
when converting to internal QEMU values.
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2416
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <virtio-snd-fuzz-2416-fix-v1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9b6083465fb8311f2410615f8303a41f580a2a20)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 4d15fe0e31..f0e7349c8a 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -282,11 +282,13 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
error_report("Number of channels is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
}
- if (!(supported_formats & BIT(params->format))) {
+ if (BIT(params->format) > sizeof(supported_formats) ||
+ !(supported_formats & BIT(params->format))) {
error_report("Stream format is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
}
- if (!(supported_rates & BIT(params->rate))) {
+ if (BIT(params->rate) > sizeof(supported_rates) ||
+ !(supported_rates & BIT(params->rate))) {
error_report("Stream rate is not supported.");
return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
}
--
2.39.2
- [Stable-8.2.7 00/53] Patch Round-up for stable 8.2.7, freeze on 2024-09-16, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 01/53] qapi/qom: Document feature unstable of @x-vfio-user-server, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 02/53] target/arm: Fix handling of LDAPR/STLR with negative offset, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 03/53] target/arm: LDAPR should honour SCTLR_ELx.nAA, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 04/53] target/arm: Use float_status copy in sme_fmopa_s, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 05/53] target/arm: Use FPST_F16 for SME FMOPA (widening), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 07/53] hw/nvme: fix memory leak in nvme_dsm, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 08/53] hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 06/53] hvf: arm: Do not advance PC when raising an exception, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 09/53] virtio-snd: add max size bounds check in input cb, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 10/53] virtio-snd: check for invalid param shift operands,
Michael Tokarev <=
- [Stable-8.2.7 11/53] intel_iommu: fix FRCD construction macro, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 14/53] hw/intc/loongson_ipi: Access memory in little endian, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 15/53] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params(), Michael Tokarev, 2024/09/06
- [Stable-8.2.7 12/53] target/i386: do not crash if microvm guest uses SGX CPUID leaves, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 13/53] chardev/char-win-stdio.c: restore old console mode, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 17/53] target/rx: Use target_ulong for address in LI, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 16/53] hw/virtio: Fix the de-initialization of vhost-user devices, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 18/53] hw/char/bcm2835_aux: Fix assert when receive FIFO fills up, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 19/53] hw/misc/bcm2835_property: Fix handling of FRAMEBUFFER_SET_PALETTE, Michael Tokarev, 2024/09/06
- [Stable-8.2.7 20/53] target/arm: Don't assert for 128-bit tile accesses when SVL is 128, Michael Tokarev, 2024/09/06