From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
To: "Alex Bennée" <alex.bennee@linaro.org>
Cc: "Akihiko Odaki" <odaki@rsg.ci.i.u-tokyo.ac.jp>,
"Huang Rui" <ray.huang@amd.com>,
"Marc-André Lureau" <marcandre.lureau@redhat.com>,
"Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Pierre-Eric Pelloux-Prayer" <pierre-eric.pelloux-prayer@amd.com>,
"Michael S . Tsirkin" <mst@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Yiwei Zhang" <zzyiwei@gmail.com>,
"Sergio Lopez Pascual" <slp@redhat.com>,
"Gert Wollny" <gert.wollny@collabora.com>,
qemu-devel@nongnu.org,
"Gurchetan Singh" <gurchetansingh@chromium.org>,
"Alyssa Ross" <hi@alyssa.is>,
"Roger Pau Monné" <roger.pau@citrix.com>,
"Alex Deucher" <alexander.deucher@amd.com>,
"Stefano Stabellini" <stefano.stabellini@amd.com>,
"Christian König" <christian.koenig@amd.com>,
"Xenia Ragiadakou" <xenia.ragiadakou@amd.com>,
"Honglei Huang" <honglei1.huang@amd.com>,
"Julia Zhang" <julia.zhang@amd.com>,
"Chen Jiqian" <Jiqian.Chen@amd.com>,
"Rob Clark" <robdclark@gmail.com>,
"Robert Beckett" <bob.beckett@collabora.com>
Subject: Re: [RFC PATCH v4 2/7] virtio-gpu: Validate hostmem mapping offset
Date: Tue, 25 Nov 2025 18:32:23 +0300 [thread overview]
Message-ID: <fe171938-9c05-4636-a138-ee62a4eabc3b@collabora.com> (raw)
In-Reply-To: <8734628gz0.fsf@draig.linaro.org>
On 11/25/25 14:54, Alex Bennée wrote:
> Dmitry Osipenko <dmitry.osipenko@collabora.com> writes:
>
>> Check hostmem mapping boundaries originated from guest.
>>
>> Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
>> Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
>> ---
>> hw/display/virtio-gpu-virgl.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>>
>> diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
>> index a6860f63b563..2224f59cf5d7 100644
>> --- a/hw/display/virtio-gpu-virgl.c
>> +++ b/hw/display/virtio-gpu-virgl.c
>> @@ -126,6 +126,14 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
>> return -EOPNOTSUPP;
>> }
>>
>> + if (offset + res->base.blob_size > b->conf.hostmem ||
>> + offset + res->base.blob_size < offset) {
>
> This second check seems weird. offset + blob_size could only every be
> smaller than offset if blob_size was negative. I feel we should have
> caught that earlier if it can happen.
>
> Are we trying to catch an overflow here?
The second check catches integer overflow for huge mblob.offset that is
u64 coming from guest. This wasn't caught before, we missed validation
of the offset value.
--
Best regards,
Dmitry
next prev parent reply other threads:[~2025-11-25 15:33 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-25 2:35 [RFC PATCH v4 0/7] Support mapping virtio-gpu virgl hostmem blobs using MAP_FIXED API Dmitry Osipenko
2025-11-25 2:35 ` [RFC PATCH v4 1/7] virtio-gpu: Remove superfluous memory_region_set_enabled() Dmitry Osipenko
2025-11-25 11:41 ` Alex Bennée
2025-11-25 2:35 ` [RFC PATCH v4 2/7] virtio-gpu: Validate hostmem mapping offset Dmitry Osipenko
2025-11-25 11:54 ` Alex Bennée
2025-11-25 15:32 ` Dmitry Osipenko [this message]
2025-11-25 2:35 ` [RFC PATCH v4 3/7] virtio-gpu: Improve virgl_cmd_resource_map_blob() error handling Dmitry Osipenko
2025-11-25 12:00 ` Alex Bennée
2025-11-25 15:40 ` Dmitry Osipenko
2025-11-25 2:35 ` [RFC PATCH v4 4/7] virtio-gpu: Make virtio_gpu_virgl_unmap_resource_blob() return -1 on error Dmitry Osipenko
2025-11-25 12:09 ` Alex Bennée
2025-11-25 15:49 ` Dmitry Osipenko
2025-12-05 4:08 ` Akihiko Odaki
2025-12-08 0:43 ` Dmitry Osipenko
2025-11-25 2:35 ` [RFC PATCH v4 5/7] virtio-gpu: Destroy virgl resources on virtio-gpu reset Dmitry Osipenko
2025-11-25 2:35 ` [RFC PATCH v4 6/7] virtio-gpu: Make virtio_gpu_virgl_init() return -1 on error Dmitry Osipenko
2025-11-25 12:11 ` Alex Bennée
2025-11-25 2:35 ` [RFC PATCH v4 7/7] virtio-gpu: Support mapping hostmem blobs with map_fixed Dmitry Osipenko
2025-11-25 6:23 ` Akihiko Odaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe171938-9c05-4636-a138-ee62a4eabc3b@collabora.com \
--to=dmitry.osipenko@collabora.com \
--cc=Jiqian.Chen@amd.com \
--cc=alex.bennee@linaro.org \
--cc=alexander.deucher@amd.com \
--cc=bob.beckett@collabora.com \
--cc=christian.koenig@amd.com \
--cc=gert.wollny@collabora.com \
--cc=gurchetansingh@chromium.org \
--cc=hi@alyssa.is \
--cc=honglei1.huang@amd.com \
--cc=julia.zhang@amd.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@redhat.com \
--cc=mst@redhat.com \
--cc=odaki@rsg.ci.i.u-tokyo.ac.jp \
--cc=pbonzini@redhat.com \
--cc=philmd@linaro.org \
--cc=pierre-eric.pelloux-prayer@amd.com \
--cc=qemu-devel@nongnu.org \
--cc=ray.huang@amd.com \
--cc=robdclark@gmail.com \
--cc=roger.pau@citrix.com \
--cc=slp@redhat.com \
--cc=stefano.stabellini@amd.com \
--cc=xenia.ragiadakou@amd.com \
--cc=zzyiwei@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).