[PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425)

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425)
@ 2026-04-17 13:26 Stefano Garzarella
  2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella
  2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella
  0 siblings, 2 replies; 5+ messages in thread
From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw)
  To: qemu-devel
  Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella

A guest-triggerable buffer overflow was reported in libvhost-user.
When an indirect descriptor table crosses a memory region boundary,
virtqueue_read_indirect_desc() falls back to a chunked copy, but
the destination pointer is a struct vring_desc pointer advanced by
a byte count, so it overflows the buffer.

libvduse has vduse_queue_read_indirect_desc() which was inspired by
the libvhost-user counterpart, so it has the same issue.

Stefano Garzarella (2):
  libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
  libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()

 subprojects/libvduse/libvduse.c           | 7 ++++---
 subprojects/libvhost-user/libvhost-user.c | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

-- 
2.53.0

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
  2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella
@ 2026-04-17 13:26 ` Stefano Garzarella
  2026-05-11 10:43   ` Daniel P. Berrangé
  2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella
  1 sibling, 1 reply; 5+ messages in thread
From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw)
  To: qemu-devel
  Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella,
	DARKNAVY

From: Stefano Garzarella <sgarzare@redhat.com>

virtqueue_read_indirect_desc() copies an indirect descriptor table
into a buffer in chunks when the table crosses a memory region
boundary. The destination is a struct vring_desc pointer but is
advanced by a byte count, so each increment moves the pointer by
read_len elements instead of read_len bytes, writing beyond the
buffer.

Use a char pointer for the destination so that the arithmetic
advances correctly.

While at it, change the source from a struct vring_desc pointer
to a void pointer: when the table is split across regions,
vu_gpa_to_va() can return a pointer into the middle of a descriptor,
so casting it to a struct vring_desc pointer is wrong. The pointer is
only used as a memcpy() source, so a void pointer is fine.

Fixes: CVE-2026-6425
Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access")
Cc: qemu-stable@nongnu.org
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 subprojects/libvhost-user/libvhost-user.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c
index 9c630c2170..014d210748 100644
--- a/subprojects/libvhost-user/libvhost-user.c
+++ b/subprojects/libvhost-user/libvhost-user.c
@@ -2391,8 +2391,9 @@ static int
 virtqueue_read_indirect_desc(VuDev *dev, struct vring_desc *desc,
                              uint64_t addr, size_t len)
 {
-    struct vring_desc *ori_desc;
+    char *dst_desc = (char *)desc;
     uint64_t read_len;
+    void *ori_desc;
 
     if (len > (VIRTQUEUE_MAX_SIZE * sizeof(struct vring_desc))) {
         return -1;
@@ -2409,10 +2410,10 @@ virtqueue_read_indirect_desc(VuDev *dev, struct vring_desc *desc,
             return -1;
         }
 
-        memcpy(desc, ori_desc, read_len);
+        memcpy(dst_desc, ori_desc, read_len);
         len -= read_len;
         addr += read_len;
-        desc += read_len;
+        dst_desc += read_len;
     }
 
     return 0;
-- 
2.53.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
  2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella
  2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella
@ 2026-04-17 13:26 ` Stefano Garzarella
  2026-05-11 10:44   ` Daniel P. Berrangé
  1 sibling, 1 reply; 5+ messages in thread
From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw)
  To: qemu-devel
  Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella,
	DARKNAVY

From: Stefano Garzarella <sgarzare@redhat.com>

vduse_queue_read_indirect_desc() copies an indirect descriptor table
into a buffer in chunks when the table crosses a memory region
boundary. The destination is a struct vring_desc pointer but is
advanced by a byte count, so each increment moves the pointer by
read_len elements instead of read_len bytes, writing beyond the
buffer.

Use a char pointer for the destination so that the arithmetic
advances correctly.

While at it, change the source from a struct vring_desc pointer
to a void pointer: when the table is split across regions,
iova_to_va() can return a pointer into the middle of a descriptor,
so casting it to a struct vring_desc pointer is wrong. The pointer is
only used as a memcpy() source, so a void pointer is fine.

Fixes: CVE-2026-6425
Fixes: a6caeee811 ("libvduse: Add VDUSE (vDPA Device in Userspace) library")
Cc: qemu-stable@nongnu.org
Reported-by: DARKNAVY <vr@darknavy.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
---
 subprojects/libvduse/libvduse.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/subprojects/libvduse/libvduse.c b/subprojects/libvduse/libvduse.c
index 21ffbb5b8d..df9ca5e56f 100644
--- a/subprojects/libvduse/libvduse.c
+++ b/subprojects/libvduse/libvduse.c
@@ -465,8 +465,9 @@ static int
 vduse_queue_read_indirect_desc(VduseDev *dev, struct vring_desc *desc,
                                uint64_t addr, size_t len)
 {
-    struct vring_desc *ori_desc;
+    char *dst_desc = (char *)desc;
     uint64_t read_len;
+    void *ori_desc;
 
     if (len > (VIRTQUEUE_MAX_SIZE * sizeof(struct vring_desc))) {
         return -1;
@@ -483,10 +484,10 @@ vduse_queue_read_indirect_desc(VduseDev *dev, struct vring_desc *desc,
             return -1;
         }
 
-        memcpy(desc, ori_desc, read_len);
+        memcpy(dst_desc, ori_desc, read_len);
         len -= read_len;
         addr += read_len;
-        desc += read_len;
+        dst_desc += read_len;
     }
 
     return 0;
-- 
2.53.0



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc()
  2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella
@ 2026-05-11 10:43   ` Daniel P. Berrangé
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-05-11 10:43 UTC (permalink / raw)
  To: Stefano Garzarella
  Cc: qemu-devel, Xie Yongji, qemu-stable, Michael S. Tsirkin, DARKNAVY

On Fri, Apr 17, 2026 at 03:26:44PM +0200, Stefano Garzarella wrote:
> From: Stefano Garzarella <sgarzare@redhat.com>
> 
> virtqueue_read_indirect_desc() copies an indirect descriptor table
> into a buffer in chunks when the table crosses a memory region
> boundary. The destination is a struct vring_desc pointer but is
> advanced by a byte count, so each increment moves the pointer by
> read_len elements instead of read_len bytes, writing beyond the
> buffer.
> 
> Use a char pointer for the destination so that the arithmetic
> advances correctly.
> 
> While at it, change the source from a struct vring_desc pointer
> to a void pointer: when the table is split across regions,
> vu_gpa_to_va() can return a pointer into the middle of a descriptor,
> so casting it to a struct vring_desc pointer is wrong. The pointer is
> only used as a memcpy() source, so a void pointer is fine.
> 
> Fixes: CVE-2026-6425
> Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access")
> Cc: qemu-stable@nongnu.org
> Reported-by: DARKNAVY <vr@darknavy.com>
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
>  subprojects/libvhost-user/libvhost-user.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc()
  2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella
@ 2026-05-11 10:44   ` Daniel P. Berrangé
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel P. Berrangé @ 2026-05-11 10:44 UTC (permalink / raw)
  To: Stefano Garzarella
  Cc: qemu-devel, Xie Yongji, qemu-stable, Michael S. Tsirkin, DARKNAVY

On Fri, Apr 17, 2026 at 03:26:45PM +0200, Stefano Garzarella wrote:
> From: Stefano Garzarella <sgarzare@redhat.com>
> 
> vduse_queue_read_indirect_desc() copies an indirect descriptor table
> into a buffer in chunks when the table crosses a memory region
> boundary. The destination is a struct vring_desc pointer but is
> advanced by a byte count, so each increment moves the pointer by
> read_len elements instead of read_len bytes, writing beyond the
> buffer.
> 
> Use a char pointer for the destination so that the arithmetic
> advances correctly.
> 
> While at it, change the source from a struct vring_desc pointer
> to a void pointer: when the table is split across regions,
> iova_to_va() can return a pointer into the middle of a descriptor,
> so casting it to a struct vring_desc pointer is wrong. The pointer is
> only used as a memcpy() source, so a void pointer is fine.
> 
> Fixes: CVE-2026-6425
> Fixes: a6caeee811 ("libvduse: Add VDUSE (vDPA Device in Userspace) library")
> Cc: qemu-stable@nongnu.org
> Reported-by: DARKNAVY <vr@darknavy.com>
> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
> ---
>  subprojects/libvduse/libvduse.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>


With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-05-11 10:45 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella
2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella
2026-05-11 10:43   ` Daniel P. Berrangé
2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella
2026-05-11 10:44   ` Daniel P. Berrangé

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.