From: Matias Ezequiel Vara Larsen <mvaralar@redhat.com>
To: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Cc: qemu-devel@nongnu.org, qemu-stable@nongnu.org,
"Thomas Huth" <thuth@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Gustavo Romero" <gustavo.romero@linaro.org>,
"Pierrick Bouvier" <pierrick.bouvier@linaro.org>,
"Zheyu Ma" <zheyuma97@gmail.com>,
"Michael S. Tsirkin" <mst@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>
Subject: Re: [PATCH v1 1/1] virtio-snd: add max size bounds check in input cb
Date: Tue, 9 Jul 2024 16:16:27 +0200 [thread overview]
Message-ID: <Zo1GOxXWjmxSBDPv@fedora> (raw)
In-Reply-To: <virtio-snd-fuzz-2427-fix-v1-manos.pitsidianakis@linaro.org>
Thanks Manos for sending this,
On Mon, Jul 08, 2024 at 10:09:49AM +0300, Manos Pitsidianakis wrote:
> When reading input audio in the virtio-snd input callback,
> virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
> the data buffer. This is because we use the buffer->size field as a
> total-so-far accumulator instead of byte-size-left like in TX buffers.
>
> This triggers an out of bounds write if the size of the virtio queue
> element is equal to virtio_snd_pcm_status, which makes the available
> space for audio data zero.
Do you mean that the guest driver has set up a request in the rx queue
in which the writable chain of descriptors only contains the status? Is
this correct? Is `available` indicating the available space in the
virtqueue?
Thanks, Matias.
next prev parent reply other threads:[~2024-07-09 14:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-08 7:09 [PATCH v1 1/1] virtio-snd: add max size bounds check in input cb Manos Pitsidianakis
2024-07-08 8:28 ` Philippe Mathieu-Daudé
2024-07-08 9:29 ` Manos Pitsidianakis
2024-07-09 14:16 ` Matias Ezequiel Vara Larsen [this message]
2024-07-09 16:21 ` Manos Pitsidianakis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zo1GOxXWjmxSBDPv@fedora \
--to=mvaralar@redhat.com \
--cc=gustavo.romero@linaro.org \
--cc=kraxel@redhat.com \
--cc=manos.pitsidianakis@linaro.org \
--cc=mst@redhat.com \
--cc=philmd@linaro.org \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=thuth@redhat.com \
--cc=zheyuma97@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.