* [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]
@ 2026-03-09 19:01 Paolo Bonzini
2026-03-10 9:04 ` Daniel P. Berrangé
2026-03-12 19:34 ` Michael Tokarev
0 siblings, 2 replies; 4+ messages in thread
From: Paolo Bonzini @ 2026-03-09 19:01 UTC (permalink / raw)
To: qemu-devel; +Cc: mcascell, security, Daniel P. Berrangé
If cpu_physical_memory_map() returns a length shorter than the one
that was passed into the function, writing the full out_len bytes
causes an access beyond the memory allocated to the guest; or in
the case of the MMIO bounce buffer, an out-of-bounds access in a
heap-allocated object.
Add a check similar to the one already in handle_send_msg(),
and take the occasion to remove repeated computations of
recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
code does not write past out_len bytes.
Reported-by: Oleh Konko <https://github.com/1seal>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
hw/hyperv/syndbg.c | 23 +++++++++++------------
1 file changed, 11 insertions(+), 12 deletions(-)
diff --git a/hw/hyperv/syndbg.c b/hw/hyperv/syndbg.c
index 1e177f9dd82..10171b19e8f 100644
--- a/hw/hyperv/syndbg.c
+++ b/hw/hyperv/syndbg.c
@@ -194,7 +194,7 @@ static uint16_t handle_recv_msg(HvSynDbg *syndbg, uint64_t outgpa,
uint16_t ret;
g_assert(MSG_BUFSZ >= qemu_target_page_size());
QEMU_UNINITIALIZED uint8_t data_buf[MSG_BUFSZ];
- hwaddr out_len;
+ hwaddr out_len, out_requested_len;
void *out_data;
ssize_t recv_byte_count;
@@ -223,29 +223,28 @@ static uint16_t handle_recv_msg(HvSynDbg *syndbg, uint64_t outgpa,
if (is_raw) {
out_len += UDP_PKT_HEADER_SIZE;
}
+ out_requested_len = out_len;
out_data = cpu_physical_memory_map(outgpa, &out_len, 1);
- if (!out_data) {
- return HV_STATUS_INSUFFICIENT_MEMORY;
+ ret = HV_STATUS_INSUFFICIENT_MEMORY;
+ if (!out_data || out_len < out_requested_len) {
+ goto cleanup_out_data;
}
if (is_raw &&
- !create_udp_pkt(syndbg, out_data,
- recv_byte_count + UDP_PKT_HEADER_SIZE,
+ !create_udp_pkt(syndbg, out_data, out_len,
data_buf, recv_byte_count)) {
- ret = HV_STATUS_INSUFFICIENT_MEMORY;
goto cleanup_out_data;
} else if (!is_raw) {
- memcpy(out_data, data_buf, recv_byte_count);
+ memcpy(out_data, data_buf, out_len);
}
- *retrieved_count = recv_byte_count;
- if (is_raw) {
- *retrieved_count += UDP_PKT_HEADER_SIZE;
- }
+ *retrieved_count = out_len;
ret = HV_STATUS_SUCCESS;
cleanup_out_data:
- cpu_physical_memory_unmap(out_data, out_len, 1, out_len);
+ if (out_data) {
+ cpu_physical_memory_unmap(out_data, out_len, 1, out_len);
+ }
return ret;
}
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]
2026-03-09 19:01 [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842] Paolo Bonzini
@ 2026-03-10 9:04 ` Daniel P. Berrangé
2026-03-12 19:34 ` Michael Tokarev
1 sibling, 0 replies; 4+ messages in thread
From: Daniel P. Berrangé @ 2026-03-10 9:04 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: qemu-devel, mcascell, security
On Mon, Mar 09, 2026 at 08:01:44PM +0100, Paolo Bonzini wrote:
> If cpu_physical_memory_map() returns a length shorter than the one
> that was passed into the function, writing the full out_len bytes
> causes an access beyond the memory allocated to the guest; or in
> the case of the MMIO bounce buffer, an out-of-bounds access in a
> heap-allocated object.
>
> Add a check similar to the one already in handle_send_msg(),
> and take the occasion to remove repeated computations of
> recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
> code does not write past out_len bytes.
>
Can you add
Fixes: CVE-2026-3842
> Reported-by: Oleh Konko <https://github.com/1seal>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> hw/hyperv/syndbg.c | 23 +++++++++++------------
> 1 file changed, 11 insertions(+), 12 deletions(-)
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]
2026-03-09 19:01 [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842] Paolo Bonzini
2026-03-10 9:04 ` Daniel P. Berrangé
@ 2026-03-12 19:34 ` Michael Tokarev
2026-03-12 20:28 ` Daniel P. Berrangé
1 sibling, 1 reply; 4+ messages in thread
From: Michael Tokarev @ 2026-03-12 19:34 UTC (permalink / raw)
To: Paolo Bonzini, qemu-devel
Cc: mcascell, security, Daniel P. Berrangé, qemu-stable
On 09.03.2026 22:01, Paolo Bonzini wrote:
> If cpu_physical_memory_map() returns a length shorter than the one
> that was passed into the function, writing the full out_len bytes
> causes an access beyond the memory allocated to the guest; or in
> the case of the MMIO bounce buffer, an out-of-bounds access in a
> heap-allocated object.
>
> Add a check similar to the one already in handle_send_msg(),
> and take the occasion to remove repeated computations of
> recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
> code does not write past out_len bytes.
>
> Reported-by: Oleh Konko <https://github.com/1seal>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
I'm picking this up for qemu stable series.
Please let me know if I shouldn't :)
Thanks,
/mjt
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842]
2026-03-12 19:34 ` Michael Tokarev
@ 2026-03-12 20:28 ` Daniel P. Berrangé
0 siblings, 0 replies; 4+ messages in thread
From: Daniel P. Berrangé @ 2026-03-12 20:28 UTC (permalink / raw)
To: Michael Tokarev
Cc: Paolo Bonzini, qemu-devel, mcascell, security, qemu-stable
On Thu, Mar 12, 2026 at 10:34:20PM +0300, Michael Tokarev wrote:
> On 09.03.2026 22:01, Paolo Bonzini wrote:
> > If cpu_physical_memory_map() returns a length shorter than the one
> > that was passed into the function, writing the full out_len bytes
> > causes an access beyond the memory allocated to the guest; or in
> > the case of the MMIO bounce buffer, an out-of-bounds access in a
> > heap-allocated object.
> >
> > Add a check similar to the one already in handle_send_msg(),
> > and take the occasion to remove repeated computations of
> > recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the
> > code does not write past out_len bytes.
> >
> > Reported-by: Oleh Konko <https://github.com/1seal>
> > Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>
> I'm picking this up for qemu stable series.
> Please let me know if I shouldn't :)
Yes, as a security fix it should go to stable too
With regards,
Daniel
--
|: https://berrange.com ~~ https://hachyderm.io/@berrange :|
|: https://libvirt.org ~~ https://entangle-photo.org :|
|: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-12 20:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-09 19:01 [PATCH] hyperv/syndbg: check length returned by cpu_physical_memory_map() [Fixes: CVE-2026-3842] Paolo Bonzini
2026-03-10 9:04 ` Daniel P. Berrangé
2026-03-12 19:34 ` Michael Tokarev
2026-03-12 20:28 ` Daniel P. Berrangé
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox