From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Stefano Garzarella <sgarzare@redhat.com>
Cc: qemu-devel@nongnu.org, Xie Yongji <xieyongji@bytedance.com>,
qemu-stable@nongnu.org, "Michael S. Tsirkin" <mst@redhat.com>,
DARKNAVY <vr@darknavy.com>
Subject: Re: [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
Date: Mon, 11 May 2026 11:43:53 +0100 [thread overview]
Message-ID: <agGy6RK_w5-DD3KC@redhat.com> (raw)
In-Reply-To: <20260417132645.121192-2-sgarzare@redhat.com>
On Fri, Apr 17, 2026 at 03:26:44PM +0200, Stefano Garzarella wrote:
> From: Stefano Garzarella <sgarzare@redhat.com>
>
> virtqueue_read_indirect_desc() copies an indirect descriptor table
> into a buffer in chunks when the table crosses a memory region
> boundary. The destination is a struct vring_desc pointer but is
> advanced by a byte count, so each increment moves the pointer by
> read_len elements instead of read_len bytes, writing beyond the
> buffer.
>
> Use a char pointer for the destination so that the arithmetic
> advances correctly.
>
> While at it, change the source from a struct vring_desc pointer
> to a void pointer: when the table is split across regions,
> vu_gpa_to_va() can return a pointer into the middle of a descriptor,
> so casting it to a struct vring_desc pointer is wrong. The pointer is
> only used as a memcpy() source, so a void pointer is fine.
>
> Fixes: CVE-2026-6425
> Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access")
> Cc: qemu-stable@nongnu.org
> Reported-by: DARKNAVY <vr@darknavy.com>
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
> subprojects/libvhost-user/libvhost-user.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
next prev parent reply other threads:[~2026-05-11 10:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella
2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella
2026-05-11 10:43 ` Daniel P. Berrangé [this message]
2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella
2026-05-11 10:44 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agGy6RK_w5-DD3KC@redhat.com \
--to=berrange@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=sgarzare@redhat.com \
--cc=vr@darknavy.com \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.