From: Stefan Hajnoczi <stefanha@redhat.com>
To: Damien Le Moal <dlemoal@kernel.org>
Cc: qemu-devel@nongnu.org, Hanna Reitz <hreitz@redhat.com>,
qemu-stable@nongnu.org, qemu-block@nongnu.org,
Kevin Wolf <kwolf@redhat.com>,
Peter Maydell <peter.maydell@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>,
Sam Li <faithilikerun@gmail.com>,
Dmitry Fomichev <dmitry.fomichev@wdc.com>,
Mingyuan Luo <myluo24@m.fudan.edu.cn>
Subject: Re: [PATCH for-11.0] virtio-blk: fix zone report buffer out-of-memory (CVE-2026-5761)
Date: Fri, 10 Apr 2026 08:01:53 -0400 [thread overview]
Message-ID: <20260410120153.GA481491@fedora> (raw)
In-Reply-To: <878d1716-230f-4bcf-9806-1076c19246b7@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 5938 bytes --]
On Fri, Apr 10, 2026 at 05:58:53AM +0200, Damien Le Moal wrote:
> On 2026/04/09 22:07, Stefan Hajnoczi wrote:
> > An internal buffer is used when processing VIRTIO_BLK_T_ZONE_REPORT
> > requests. The buffer's size is controlled by the guest. A large value
> > can result in g_malloc() failure and the QEMU process aborts, resulting
> > in a Denial of Service (DoS) (most likely in cases where an untrusted
> > guest application or a nested guest with virtio-blk passthrough is able
> > to abort QEMU).
> >
> > Modify the zone report implementation to work incrementally with a
> > bounded buffer size.
> >
> > This is purely a QEMU implementation issue and no VIRTIO spec changes
> > are needed.
> >
> > Mingyuan Luo found this bug and provided a reproducer which I haven't
> > put into tests/qtest/ because it requires a zoned storage device (e.g.
> > root and modprobe null_blk):
> >
> > 1) Prepare a zoned nullblk backend (/dev/nullb0):
> >
> > sudo modprobe -r null_blk || true
> > sudo modprobe null_blk nr_devices=1 zoned=1
> > sudo chmod 0666 /dev/nullb0
> > cat /sys/block/nullb0/queue/zoned
> >
> > 2) Create qtest input:
> >
> > cat >/tmp/vblk-zone-report-oom.qtest <<'EOF'
> > outl 0xcf8 0x80002004
> > outw 0xcfc 0x0007
> > outl 0xcf8 0x80002010
> > outl 0xcfc 0x0000c001
> > outb 0xc012 0x00
> > outb 0xc012 0x01
> > outb 0xc012 0x03
> > outl 0xc004 0x00000000
> > outw 0xc00e 0x0000
> > outl 0xc008 0x00000100
> > outb 0xc012 0x07
> > writel 0x00020000 0x00000010
> > writel 0x00020004 0x00000000
> > writeq 0x00020008 0x0000000000000000
> > writeq 0x00100000 0x0000000000020000
> > writel 0x00100008 0x00000010
> > writew 0x0010000c 0x0001
> > writew 0x0010000e 0x0001
> > EOF
> >
> > for i in $(seq 1 1022); do
> > d=$((0x00100000 + i * 16))
> > n=$((i + 1))
> > printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writew 0x%08x 0x0003\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writew 0x%08x 0x%04x\n' $((d + 14)) "$n" >> /tmp/vblk-zone-report-oom.qtest
> > done
> >
> > d=$((0x00100000 + 1023 * 16))
> > printf 'writeq 0x%08x 0x0000000000200000\n' "$d" >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writel 0x%08x 0x1fe00000\n' $((d + 8)) >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writew 0x%08x 0x0002\n' $((d + 12)) >> /tmp/vblk-zone-report-oom.qtest
> > printf 'writew 0x%08x 0x0000\n' $((d + 14)) >> /tmp/vblk-zone-report-oom.qtest
> > cat >> /tmp/vblk-zone-report-oom.qtest <<'EOF'
> > writew 0x00104000 0x0000
> > writew 0x00104002 0x0001
> > writew 0x00104004 0x0000
> > outw 0xc010 0x0000
> > EOF
> >
> > 3) Run the qtest input with ASAN build (compile qemu with --enable-asan):
> >
> > build/qemu-system-x86_64 -display none \
> > -accel qtest -qtest stdio \
> > -machine pc -nodefaults -m 512M -monitor none -serial none \
> > -blockdev driver=host_device,node-name=disk0,filename=/dev/nullb0 \
> > -device virtio-blk-pci-transitional,drive=disk0,addr=04.0,queue-size=1024 \
> > < /tmp/vblk-zone-report-oom.qtest
> >
> > Cc: Sam Li <faithilikerun@gmail.com>
> > Cc: Damien Le Moal <dlemoal@kernel.org>
> > Cc: Dmitry Fomichev <dmitry.fomichev@wdc.com>
> > Fixes: CVE-2026-5761
> > Fixes: 4f7366506a9 ("virtio-blk: add zoned storage emulation for zoned devices")
> > Reported-by: Mingyuan Luo <myluo24@m.fudan.edu.cn>
> > Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
>
> Overall, looks OK to me, modulo one nit below.
>
> With that fixed, feel free to add:
>
> Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
>
> [...]
>
> > @@ -529,28 +538,18 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)
> > goto out;
> > }
> >
> > - zrp_size = sizeof(struct virtio_blk_zone_report)
> > - + sizeof(struct virtio_blk_zone_descriptor) * nz;
> > - n = iov_from_buf(in_iov, in_num, 0, &zrp_hdr, sizeof(zrp_hdr));
> > - if (n != sizeof(zrp_hdr)) {
> > - virtio_error(vdev, "Driver provided input buffer that is too small!");
> > - err_status = VIRTIO_BLK_S_ZONE_INVALID_CMD;
> > - goto out;
> > - }
> > -
> > - for (size_t i = sizeof(zrp_hdr); i < zrp_size;
> > - i += sizeof(struct virtio_blk_zone_descriptor), ++j) {
> > + for (size_t j = 0; j < nz; j++) {
>
> nz is an int64_t, so signed, but j is an unsigned size_t. This can generate
> compiler/code checker warnings.
Hi Damien,
Thanks for the review! blk_aio_report_zones() takes an unsigned int
*nr_zones in/out argument and that's also the type of the
ZoneReportData->nr_zones field that nz is initialized from. So I ended
up changing both nz and j's types to unsigned since that is ultimately
the type that blk_aio_report_zones() uses. The int64_t range wasn't
actually being used and size_t wasn't necessary since the value is
capped by nz.
I will send a v2 with the following change on top:
diff --git i/hw/block/virtio-blk.c w/hw/block/virtio-blk.c
index 7fd883320a..9cb9f1fb2b 100644
--- i/hw/block/virtio-blk.c
+++ w/hw/block/virtio-blk.c
@@ -528,7 +528,7 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)
struct iovec *in_iov = data->in_iov;
unsigned in_num = data->in_num;
int64_t n;
- int64_t nz = zrd->nr_zones;
+ unsigned nz = zrd->nr_zones;
int8_t err_status = VIRTIO_BLK_S_OK;
struct virtio_blk_zone_report zrp_hdr = {};
@@ -538,7 +538,7 @@ static void virtio_blk_zone_report_complete(void *opaque, int ret)
goto out;
}
- for (size_t j = 0; j < nz; j++) {
+ for (unsigned j = 0; j < nz; j++) {
struct virtio_blk_zone_descriptor desc =
(struct virtio_blk_zone_descriptor) {
.z_start = cpu_to_le64(zrd->zones[j].start
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
prev parent reply other threads:[~2026-04-10 12:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-09 20:07 [PATCH for-11.0] virtio-blk: fix zone report buffer out-of-memory (CVE-2026-5761) Stefan Hajnoczi
2026-04-10 3:58 ` Damien Le Moal
2026-04-10 12:01 ` Stefan Hajnoczi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260410120153.GA481491@fedora \
--to=stefanha@redhat.com \
--cc=dlemoal@kernel.org \
--cc=dmitry.fomichev@wdc.com \
--cc=faithilikerun@gmail.com \
--cc=hreitz@redhat.com \
--cc=kwolf@redhat.com \
--cc=mst@redhat.com \
--cc=myluo24@m.fudan.edu.cn \
--cc=peter.maydell@linaro.org \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.