Re: [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]

public inbox for qemu-devel@nongnu.org
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: qemu-devel@nongnu.org, mcascell@redhat.com, security@1seal.org
Subject: Re: [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]
Date: Tue, 10 Mar 2026 09:04:12 +0000	[thread overview]
Message-ID: <aa_ejKVroDIHj4ta@redhat.com> (raw)
In-Reply-To: <20260309190155.80619-1-pbonzini@redhat.com>

On Mon, Mar 09, 2026 at 08:01:44PM +0100, Paolo Bonzini wrote:
> If cpu_physical_memory_map() returns a length shorter than the one
> that was passed into the function, writing the full out_len bytes
> causes an access beyond the memory allocated to the guest; or in
> the case of the MMIO bounce buffer, an out-of-bounds access in a
> heap-allocated object.
> 
> Add a check similar to the one already in handle_send_msg(),
> and take the occasion to remove repeated computations of
> recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
> code does not write past out_len bytes.
> 

Can you add

  Fixes: CVE-2026-3842

> Reported-by: Oleh Konko <https://github.com/1seal>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>  hw/hyperv/syndbg.c | 23 +++++++++++------------
>  1 file changed, 11 insertions(+), 12 deletions(-)

With regards,
Daniel
-- 
|: https://berrange.com       ~~        https://hachyderm.io/@berrange :|
|: https://libvirt.org          ~~          https://entangle-photo.org :|
|: https://pixelfed.art/berrange   ~~    https://fstop138.berrange.com :|

next prev parent reply	other threads:[~2026-03-10  9:04 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09 19:01 [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842] Paolo Bonzini
2026-03-10  9:04 ` Daniel P. Berrangé [this message]
2026-03-12 19:34 ` Michael Tokarev
2026-03-12 20:28   ` Daniel P. Berrangé

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aa_ejKVroDIHj4ta@redhat.com \
    --to=berrange@redhat.com \
    --cc=mcascell@redhat.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=security@1seal.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox