From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Volker Rümelin" <vr_qemu@t-online.de>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>
Subject: [PULL 22/56] hw/audio/virtio-sound: fix heap buffer overflow
Date: Wed, 11 Sep 2024 14:13:47 +0200 [thread overview]
Message-ID: <20240911121422.52585-23-philmd@linaro.org> (raw)
In-Reply-To: <20240911121422.52585-1-philmd@linaro.org>
From: Volker Rümelin <vr_qemu@t-online.de>
Currently, the guest may write to the device configuration space,
whereas the virtio sound device specification in chapter 5.14.4
clearly states that the fields in the device configuration space
are driver-read-only.
Remove the set_config function from the virtio_snd class.
This also prevents a heap buffer overflow. See QEMU issue #2296.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2296
Signed-off-by: Volker Rümelin <vr_qemu@t-online.de>
Acked-by: Gerd Hoffmann <kraxel@redhat.com>
Message-ID: <20240901130112.8242-1-vr_qemu@t-online.de>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
hw/audio/virtio-snd.c | 24 ------------------------
hw/audio/trace-events | 1 -
2 files changed, 25 deletions(-)
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index d1cf5eb445..69838181dd 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -107,29 +107,6 @@ virtio_snd_get_config(VirtIODevice *vdev, uint8_t *config)
}
-static void
-virtio_snd_set_config(VirtIODevice *vdev, const uint8_t *config)
-{
- VirtIOSound *s = VIRTIO_SND(vdev);
- const virtio_snd_config *sndconfig =
- (const virtio_snd_config *)config;
-
-
- trace_virtio_snd_set_config(vdev,
- s->snd_conf.jacks,
- sndconfig->jacks,
- s->snd_conf.streams,
- sndconfig->streams,
- s->snd_conf.chmaps,
- sndconfig->chmaps);
-
- memcpy(&s->snd_conf, sndconfig, sizeof(virtio_snd_config));
- le32_to_cpus(&s->snd_conf.jacks);
- le32_to_cpus(&s->snd_conf.streams);
- le32_to_cpus(&s->snd_conf.chmaps);
-
-}
-
static void
virtio_snd_pcm_buffer_free(VirtIOSoundPCMBuffer *buffer)
{
@@ -1400,7 +1377,6 @@ static void virtio_snd_class_init(ObjectClass *klass, void *data)
vdc->realize = virtio_snd_realize;
vdc->unrealize = virtio_snd_unrealize;
vdc->get_config = virtio_snd_get_config;
- vdc->set_config = virtio_snd_set_config;
vdc->get_features = get_features;
vdc->reset = virtio_snd_reset;
vdc->legacy_features = 0;
diff --git a/hw/audio/trace-events b/hw/audio/trace-events
index b1870ff224..b8ef572767 100644
--- a/hw/audio/trace-events
+++ b/hw/audio/trace-events
@@ -41,7 +41,6 @@ asc_update_irq(int irq, int a, int b) "set IRQ to %d (A: 0x%x B: 0x%x)"
#virtio-snd.c
virtio_snd_get_config(void *vdev, uint32_t jacks, uint32_t streams, uint32_t chmaps) "snd %p: get_config jacks=%"PRIu32" streams=%"PRIu32" chmaps=%"PRIu32""
-virtio_snd_set_config(void *vdev, uint32_t jacks, uint32_t new_jacks, uint32_t streams, uint32_t new_streams, uint32_t chmaps, uint32_t new_chmaps) "snd %p: set_config jacks from %"PRIu32"->%"PRIu32", streams from %"PRIu32"->%"PRIu32", chmaps from %"PRIu32"->%"PRIu32
virtio_snd_get_features(void *vdev, uint64_t features) "snd %p: get_features 0x%"PRIx64
virtio_snd_vm_state_running(void) "vm state running"
virtio_snd_vm_state_stopped(void) "vm state stopped"
--
2.45.2
next prev parent reply other threads:[~2024-09-11 12:25 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-11 12:13 [PULL 00/56] Misc HW & UI patches Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 01/56] hw/pci-host/designware: Declare CPU QOM types using DEFINE_TYPES() macro Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 02/56] hw/pci-host/designware: Add 'host_mem' variable for clarity Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 03/56] hw/intc/loongson_ipi: Remove unused headers Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 04/56] hw/sh4: Remove the deprecated SHIX machine Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 05/56] hw/block: Remove TC58128 NAND EEPROM Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 06/56] hw/sh4: Remove sh7750_register_io_device() helper Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 07/56] tests/tcg: Remove CRIS libc test files Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 08/56] tests/tcg: Remove CRIS bare " Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 09/56] buildsys: Remove CRIS cross container Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 10/56] linux-user: Remove support for CRIS target Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 11/56] hw/cris: Remove the axis-dev88 machine Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 12/56] hw/cris: Remove image loader helper Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 13/56] hw/intc: Remove TYPE_ETRAX_FS_PIC device Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 14/56] hw/char: Remove TYPE_ETRAX_FS_SERIAL device Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 15/56] hw/net: Remove TYPE_ETRAX_FS_ETH device Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 16/56] hw/dma: Remove ETRAX_FS DMA device Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 17/56] hw/timer: Remove TYPE_ETRAX_FS_TIMER device Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 18/56] system: Remove support for CRIS target Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 19/56] target/cris: Remove the deprecated " Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 20/56] seccomp: Remove check for CRIS host Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 21/56] target/riscv: Remove the deprecated 'any' CPU type Philippe Mathieu-Daudé
2024-09-11 12:13 ` Philippe Mathieu-Daudé [this message]
2024-09-11 12:13 ` [PULL 23/56] hw/char/pl011: Remove unused 'readbuff' field Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 24/56] hw/char/pl011: Move pl011_put_fifo() earlier Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 25/56] hw/char/pl011: Move pl011_loopback_enabled|tx() around Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 26/56] hw/char/pl011: Split RX/TX path of pl011_reset_fifo() Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 27/56] hw/char/pl011: Extract pl011_write_txdata() from pl011_write() Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 28/56] hw/char/pl011: Extract pl011_read_rxdata() from pl011_read() Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 29/56] hw/char/pl011: Warn when using disabled transmitter Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 30/56] hw/char/pl011: Rename RX FIFO methods Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 31/56] MAINTAINERS: Add myself as a reviewer of VT-d Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 32/56] fifo8: rename fifo8_peekpop_buf() to fifo8_peekpop_bufptr() Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 33/56] fifo8: introduce head variable for fifo8_peekpop_bufptr() Philippe Mathieu-Daudé
2024-09-11 12:13 ` [PULL 34/56] fifo8: add skip parameter to fifo8_peekpop_bufptr() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 35/56] fifo8: replace fifo8_pop_bufptr() with fifo8_peekpop_bufptr() in fifo8_pop_buf() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 36/56] fifo8: rename fifo8_pop_buf() to fifo8_peekpop_buf() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 37/56] fifo8: honour do_pop argument in fifo8_peekpop_buf() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 38/56] fifo8: add fifo8_peek_buf() function Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 39/56] fifo8: introduce fifo8_peek() function Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 40/56] tests/unit: add test-fifo unit test Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 41/56] tests/unit: Strengthen FIFO8 tests Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 42/56] tests/unit: Expand test_fifo8_peek_buf_wrap() coverage Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 43/56] tests/unit: Comment FIFO8 tests Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 44/56] hw/char/escc: convert Sun mouse to use QemuInputHandler Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 45/56] hw/input/adb-mouse: convert " Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 46/56] hw/char: replace assert(0) with g_assert_not_reached() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 47/56] hw/core: " Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 48/56] hw/watchdog: " Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 49/56] hw/gpio: remove break after g_assert_not_reached() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 50/56] hw/misc: " Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 51/56] hw/pci-host: " Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 52/56] system: replace assert(0) with g_assert_not_reached() Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 53/56] ui/sdl2: release all modifiers Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 54/56] ui/sdl2: ignore GUI keys in SDL_TEXTINPUT handler Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 55/56] ui/sdl2: set swap interval explicitly when OpenGL is enabled Philippe Mathieu-Daudé
2024-09-11 12:14 ` [PULL 56/56] ui: remove break after g_assert_not_reached() Philippe Mathieu-Daudé
2024-09-12 6:54 ` [PULL 00/56] Misc HW & UI patches Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240911121422.52585-23-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=kraxel@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=vr_qemu@t-online.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).