* [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) @ 2026-04-17 13:26 Stefano Garzarella 2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella 2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella 0 siblings, 2 replies; 5+ messages in thread From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw) To: qemu-devel Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella A guest-triggerable buffer overflow was reported in libvhost-user. When an indirect descriptor table crosses a memory region boundary, virtqueue_read_indirect_desc() falls back to a chunked copy, but the destination pointer is a struct vring_desc pointer advanced by a byte count, so it overflows the buffer. libvduse has vduse_queue_read_indirect_desc() which was inspired by the libvhost-user counterpart, so it has the same issue. Stefano Garzarella (2): libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() subprojects/libvduse/libvduse.c | 7 ++++--- subprojects/libvhost-user/libvhost-user.c | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) -- 2.53.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() 2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella @ 2026-04-17 13:26 ` Stefano Garzarella 2026-05-11 10:43 ` Daniel P. Berrangé 2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella 1 sibling, 1 reply; 5+ messages in thread From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw) To: qemu-devel Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella, DARKNAVY From: Stefano Garzarella <sgarzare@redhat.com> virtqueue_read_indirect_desc() copies an indirect descriptor table into a buffer in chunks when the table crosses a memory region boundary. The destination is a struct vring_desc pointer but is advanced by a byte count, so each increment moves the pointer by read_len elements instead of read_len bytes, writing beyond the buffer. Use a char pointer for the destination so that the arithmetic advances correctly. While at it, change the source from a struct vring_desc pointer to a void pointer: when the table is split across regions, vu_gpa_to_va() can return a pointer into the middle of a descriptor, so casting it to a struct vring_desc pointer is wrong. The pointer is only used as a memcpy() source, so a void pointer is fine. Fixes: CVE-2026-6425 Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access") Cc: qemu-stable@nongnu.org Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> --- subprojects/libvhost-user/libvhost-user.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/subprojects/libvhost-user/libvhost-user.c b/subprojects/libvhost-user/libvhost-user.c index 9c630c2170..014d210748 100644 --- a/subprojects/libvhost-user/libvhost-user.c +++ b/subprojects/libvhost-user/libvhost-user.c @@ -2391,8 +2391,9 @@ static int virtqueue_read_indirect_desc(VuDev *dev, struct vring_desc *desc, uint64_t addr, size_t len) { - struct vring_desc *ori_desc; + char *dst_desc = (char *)desc; uint64_t read_len; + void *ori_desc; if (len > (VIRTQUEUE_MAX_SIZE * sizeof(struct vring_desc))) { return -1; @@ -2409,10 +2410,10 @@ virtqueue_read_indirect_desc(VuDev *dev, struct vring_desc *desc, return -1; } - memcpy(desc, ori_desc, read_len); + memcpy(dst_desc, ori_desc, read_len); len -= read_len; addr += read_len; - desc += read_len; + dst_desc += read_len; } return 0; -- 2.53.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() 2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella @ 2026-05-11 10:43 ` Daniel P. Berrangé 0 siblings, 0 replies; 5+ messages in thread From: Daniel P. Berrangé @ 2026-05-11 10:43 UTC (permalink / raw) To: Stefano Garzarella Cc: qemu-devel, Xie Yongji, qemu-stable, Michael S. Tsirkin, DARKNAVY On Fri, Apr 17, 2026 at 03:26:44PM +0200, Stefano Garzarella wrote: > From: Stefano Garzarella <sgarzare@redhat.com> > > virtqueue_read_indirect_desc() copies an indirect descriptor table > into a buffer in chunks when the table crosses a memory region > boundary. The destination is a struct vring_desc pointer but is > advanced by a byte count, so each increment moves the pointer by > read_len elements instead of read_len bytes, writing beyond the > buffer. > > Use a char pointer for the destination so that the arithmetic > advances correctly. > > While at it, change the source from a struct vring_desc pointer > to a void pointer: when the table is split across regions, > vu_gpa_to_va() can return a pointer into the middle of a descriptor, > so casting it to a struct vring_desc pointer is wrong. The pointer is > only used as a memcpy() source, so a void pointer is fine. > > Fixes: CVE-2026-6425 > Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access") > Cc: qemu-stable@nongnu.org > Reported-by: DARKNAVY <vr@darknavy.com> > Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> > --- > subprojects/libvhost-user/libvhost-user.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() 2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella 2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella @ 2026-04-17 13:26 ` Stefano Garzarella 2026-05-11 10:44 ` Daniel P. Berrangé 1 sibling, 1 reply; 5+ messages in thread From: Stefano Garzarella @ 2026-04-17 13:26 UTC (permalink / raw) To: qemu-devel Cc: Xie Yongji, qemu-stable, Michael S. Tsirkin, Stefano Garzarella, DARKNAVY From: Stefano Garzarella <sgarzare@redhat.com> vduse_queue_read_indirect_desc() copies an indirect descriptor table into a buffer in chunks when the table crosses a memory region boundary. The destination is a struct vring_desc pointer but is advanced by a byte count, so each increment moves the pointer by read_len elements instead of read_len bytes, writing beyond the buffer. Use a char pointer for the destination so that the arithmetic advances correctly. While at it, change the source from a struct vring_desc pointer to a void pointer: when the table is split across regions, iova_to_va() can return a pointer into the middle of a descriptor, so casting it to a struct vring_desc pointer is wrong. The pointer is only used as a memcpy() source, so a void pointer is fine. Fixes: CVE-2026-6425 Fixes: a6caeee811 ("libvduse: Add VDUSE (vDPA Device in Userspace) library") Cc: qemu-stable@nongnu.org Reported-by: DARKNAVY <vr@darknavy.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> --- subprojects/libvduse/libvduse.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/subprojects/libvduse/libvduse.c b/subprojects/libvduse/libvduse.c index 21ffbb5b8d..df9ca5e56f 100644 --- a/subprojects/libvduse/libvduse.c +++ b/subprojects/libvduse/libvduse.c @@ -465,8 +465,9 @@ static int vduse_queue_read_indirect_desc(VduseDev *dev, struct vring_desc *desc, uint64_t addr, size_t len) { - struct vring_desc *ori_desc; + char *dst_desc = (char *)desc; uint64_t read_len; + void *ori_desc; if (len > (VIRTQUEUE_MAX_SIZE * sizeof(struct vring_desc))) { return -1; @@ -483,10 +484,10 @@ vduse_queue_read_indirect_desc(VduseDev *dev, struct vring_desc *desc, return -1; } - memcpy(desc, ori_desc, read_len); + memcpy(dst_desc, ori_desc, read_len); len -= read_len; addr += read_len; - desc += read_len; + dst_desc += read_len; } return 0; -- 2.53.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() 2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella @ 2026-05-11 10:44 ` Daniel P. Berrangé 0 siblings, 0 replies; 5+ messages in thread From: Daniel P. Berrangé @ 2026-05-11 10:44 UTC (permalink / raw) To: Stefano Garzarella Cc: qemu-devel, Xie Yongji, qemu-stable, Michael S. Tsirkin, DARKNAVY On Fri, Apr 17, 2026 at 03:26:45PM +0200, Stefano Garzarella wrote: > From: Stefano Garzarella <sgarzare@redhat.com> > > vduse_queue_read_indirect_desc() copies an indirect descriptor table > into a buffer in chunks when the table crosses a memory region > boundary. The destination is a struct vring_desc pointer but is > advanced by a byte count, so each increment moves the pointer by > read_len elements instead of read_len bytes, writing beyond the > buffer. > > Use a char pointer for the destination so that the arithmetic > advances correctly. > > While at it, change the source from a struct vring_desc pointer > to a void pointer: when the table is split across regions, > iova_to_va() can return a pointer into the middle of a descriptor, > so casting it to a struct vring_desc pointer is wrong. The pointer is > only used as a memcpy() source, so a void pointer is fine. > > Fixes: CVE-2026-6425 > Fixes: a6caeee811 ("libvduse: Add VDUSE (vDPA Device in Userspace) library") > Cc: qemu-stable@nongnu.org > Reported-by: DARKNAVY <vr@darknavy.com> > Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> > --- > subprojects/libvduse/libvduse.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :| ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-11 10:45 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-04-17 13:26 [PATCH 0/2] libvhost-user, libvduse: fix buffer overflow (CVE-2026-6425) Stefano Garzarella 2026-04-17 13:26 ` [PATCH 1/2] libvhost-user: fix buffer overflow in virtqueue_read_indirect_desc() Stefano Garzarella 2026-05-11 10:43 ` Daniel P. Berrangé 2026-04-17 13:26 ` [PATCH 2/2] libvduse: fix buffer overflow in vduse_queue_read_indirect_desc() Stefano Garzarella 2026-05-11 10:44 ` Daniel P. Berrangé
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.