From: "Volker Rümelin" <vr_qemu@t-online.de>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Manos Pitsidianakis" <manos.pitsidianakis@linaro.org>,
"Michael S. Tsirkin" <mst@redhat.com>
Cc: qemu-devel@nongnu.org, qemu-stable@nongnu.org
Subject: [PATCH v2 02/11] hw/audio/virtio-sound: fix segmentation fault in tx/rx xfer handler
Date: Sun, 18 Feb 2024 09:33:42 +0100 [thread overview]
Message-ID: <20240218083351.8524-2-vr_qemu@t-online.de> (raw)
In-Reply-To: <a289a081-9a61-4bcb-b693-bf6cd7768c0e@t-online.de>
A malicious guest may trigger a segmentation fault in the tx/rx xfer
handlers. On handler entry the stream variable is initialized with
NULL. If the first element of the virtio queue has an invalid size
or an invalid stream id, the error handling code dereferences the
stream variable NULL pointer.
Don't try to handle the invalid virtio queue element with a stream
queue. Instead, push the invalid queue element back to the guest
immediately.
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
---
hw/audio/virtio-snd.c | 100 ++++++++++------------------------
include/hw/audio/virtio-snd.h | 1 -
2 files changed, 29 insertions(+), 72 deletions(-)
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index e604d8f30c..b87653daf4 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -456,7 +456,6 @@ static uint32_t virtio_snd_pcm_prepare(VirtIOSound *s, uint32_t stream_id)
stream->s = s;
qemu_mutex_init(&stream->queue_mutex);
QSIMPLEQ_INIT(&stream->queue);
- QSIMPLEQ_INIT(&stream->invalid);
/*
* stream_id >= s->snd_conf.streams was checked before so this is
@@ -611,9 +610,6 @@ static size_t virtio_snd_pcm_get_io_msgs_count(VirtIOSoundPCMStream *stream)
QSIMPLEQ_FOREACH_SAFE(buffer, &stream->queue, entry, next) {
count += 1;
}
- QSIMPLEQ_FOREACH_SAFE(buffer, &stream->invalid, entry, next) {
- count += 1;
- }
}
return count;
}
@@ -831,47 +827,19 @@ static void virtio_snd_handle_event(VirtIODevice *vdev, VirtQueue *vq)
trace_virtio_snd_handle_event();
}
-static inline void empty_invalid_queue(VirtIODevice *vdev, VirtQueue *vq)
+static void push_bad_msg_resp(VirtQueue *vq, VirtQueueElement *elem)
{
- VirtIOSoundPCMBuffer *buffer = NULL;
- VirtIOSoundPCMStream *stream = NULL;
virtio_snd_pcm_status resp = { 0 };
- VirtIOSound *vsnd = VIRTIO_SND(vdev);
- bool any = false;
-
- for (uint32_t i = 0; i < vsnd->snd_conf.streams; i++) {
- stream = vsnd->pcm->streams[i];
- if (stream) {
- any = false;
- WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
- while (!QSIMPLEQ_EMPTY(&stream->invalid)) {
- buffer = QSIMPLEQ_FIRST(&stream->invalid);
- if (buffer->vq != vq) {
- break;
- }
- any = true;
- resp.status = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
- iov_from_buf(buffer->elem->in_sg,
- buffer->elem->in_num,
- 0,
- &resp,
- sizeof(virtio_snd_pcm_status));
- virtqueue_push(vq,
- buffer->elem,
- sizeof(virtio_snd_pcm_status));
- QSIMPLEQ_REMOVE_HEAD(&stream->invalid, entry);
- virtio_snd_pcm_buffer_free(buffer);
- }
- if (any) {
- /*
- * Notify vq about virtio_snd_pcm_status responses.
- * Buffer responses must be notified separately later.
- */
- virtio_notify(vdev, vq);
- }
- }
- }
- }
+ size_t msg_sz;
+
+ resp.status = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
+ msg_sz = iov_from_buf(elem->in_sg,
+ elem->in_num,
+ 0,
+ &resp,
+ sizeof(virtio_snd_pcm_status));
+ virtqueue_push(vq, elem, msg_sz);
+ g_free(elem);
}
/*
@@ -890,11 +858,7 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)
size_t msg_sz, size;
virtio_snd_pcm_xfer hdr;
uint32_t stream_id;
- /*
- * If any of the I/O messages are invalid, put them in stream->invalid and
- * return them after the for loop.
- */
- bool must_empty_invalid_queue = false;
+ bool notify = false;
if (!virtio_queue_ready(vq)) {
return;
@@ -942,17 +906,16 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)
continue;
tx_err:
- WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
- must_empty_invalid_queue = true;
- buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer));
- buffer->elem = elem;
- buffer->vq = vq;
- QSIMPLEQ_INSERT_TAIL(&stream->invalid, buffer, entry);
- }
+ push_bad_msg_resp(vq, elem);
+ notify = true;
}
- if (must_empty_invalid_queue) {
- empty_invalid_queue(vdev, vq);
+ if (notify) {
+ /*
+ * Notify vq about virtio_snd_pcm_status responses.
+ * Buffer responses must be notified separately later.
+ */
+ virtio_notify(vdev, vq);
}
}
@@ -972,11 +935,7 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)
size_t msg_sz, size;
virtio_snd_pcm_xfer hdr;
uint32_t stream_id;
- /*
- * if any of the I/O messages are invalid, put them in stream->invalid and
- * return them after the for loop.
- */
- bool must_empty_invalid_queue = false;
+ bool notify = false;
if (!virtio_queue_ready(vq)) {
return;
@@ -1021,17 +980,16 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)
continue;
rx_err:
- WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {
- must_empty_invalid_queue = true;
- buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer));
- buffer->elem = elem;
- buffer->vq = vq;
- QSIMPLEQ_INSERT_TAIL(&stream->invalid, buffer, entry);
- }
+ push_bad_msg_resp(vq, elem);
+ notify = true;
}
- if (must_empty_invalid_queue) {
- empty_invalid_queue(vdev, vq);
+ if (notify) {
+ /*
+ * Notify vq about virtio_snd_pcm_status responses.
+ * Buffer responses must be notified separately later.
+ */
+ virtio_notify(vdev, vq);
}
}
diff --git a/include/hw/audio/virtio-snd.h b/include/hw/audio/virtio-snd.h
index 3d79181364..1209b122b9 100644
--- a/include/hw/audio/virtio-snd.h
+++ b/include/hw/audio/virtio-snd.h
@@ -151,7 +151,6 @@ struct VirtIOSoundPCMStream {
QemuMutex queue_mutex;
bool active;
QSIMPLEQ_HEAD(, VirtIOSoundPCMBuffer) queue;
- QSIMPLEQ_HEAD(, VirtIOSoundPCMBuffer) invalid;
};
/*
--
2.35.3
next prev parent reply other threads:[~2024-02-18 8:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-18 8:31 [PATCH v2 00/11] virtio-sound migration part 1 Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 01/11] hw/audio/virtio-sound: return correct command response size Volker Rümelin
2024-02-18 8:33 ` Volker Rümelin [this message]
2024-02-19 12:42 ` [PATCH v2 02/11] hw/audio/virtio-sound: fix segmentation fault in tx/rx xfer handler Manos Pitsidianakis
2024-02-18 8:33 ` [PATCH v2 03/11] hw/audio/virtio-sound: remove command and stream mutexes Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 04/11] hw/audio/virtio-sound: allocate an array of streams Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 05/11] hw/audio/virtio-sound: free all stream buffers on reset Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 06/11] hw/audio/virtio-sound: split out virtio_snd_pcm_start_stop() Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 07/11] hw/audio/virtio-sound: add stream state variable Volker Rümelin
2024-02-19 12:59 ` Manos Pitsidianakis
2024-02-19 13:01 ` Michael S. Tsirkin
2024-03-12 15:35 ` Michael S. Tsirkin
2024-02-18 8:33 ` [PATCH v2 08/11] hw/audio/virtio-sound: introduce virtio_snd_pcm_open() Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 09/11] hw/audio/virtio-sound: introduce virtio_snd_set_active() Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 10/11] hw/audio/virtio-sound: add missing vmstate fields Volker Rümelin
2024-02-18 8:33 ` [PATCH v2 11/11] hw/audio/virtio-sound: add placeholder for buffer write position Volker Rümelin
2024-03-12 15:38 ` [PATCH v2 00/11] virtio-sound migration part 1 Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240218083351.8524-2-vr_qemu@t-online.de \
--to=vr_qemu@t-online.de \
--cc=kraxel@redhat.com \
--cc=manos.pitsidianakis@linaro.org \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).