Commit 61679d7dcf for qemu.org
commit 61679d7dcfa2dffc8fb115aa19b09e0e7cf5ea5c
Author: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Date: Fri Feb 20 11:40:14 2026 +0200
virtio-snd: handle 5.14.6.2 for PCM_INFO properly
The section 5.14.6.2 of the VIRTIO spec says:
5.14.6.2 Driver Requirements: Item Information Request
- The driver MUST NOT set start_id and count such that start_id +
count is greater than the total number of particular items that is
indicated in the device configuration space.
- The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
count * size bytes for the response.
While we performed some check for the second requirement, it failed to
check for integer overflow.
Add also a check for the first requirement, which should limit exposure
to any overflow, since realistically the number of streams will be low
enough in value such that overflow is improbable.
Cc: qemu-stable@nongnu.org
Reported-by: 罗铭源 <myluo24@m.fudan.edu.cn>
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Message-Id: <20260220-virtio-snd-series-v1-3-207c4f7200a2@linaro.org>
diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 232179a04a..ae8bfbca43 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -156,7 +156,7 @@ static virtio_snd_pcm_set_params *virtio_snd_pcm_get_params(VirtIOSound *s,
static void virtio_snd_handle_pcm_info(VirtIOSound *s,
virtio_snd_ctrl_command *cmd)
{
- uint32_t stream_id, start_id, count, size;
+ uint32_t stream_id, start_id, count, size, tmp;
virtio_snd_pcm_info val;
virtio_snd_query_info req;
VirtIOSoundPCMStream *stream = NULL;
@@ -179,11 +179,34 @@ static void virtio_snd_handle_pcm_info(VirtIOSound *s,
count = le32_to_cpu(req.count);
size = le32_to_cpu(req.size);
- if (iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
- sizeof(virtio_snd_hdr) + size * count) {
+ /*
+ * 5.14.6.2 Driver Requirements: Item Information Request
+ * "The driver MUST NOT set start_id and count such that start_id + count
+ * is greater than the total number of particular items that is indicated
+ * in the device configuration space."
+ */
+ if (start_id > s->snd_conf.streams
+ || !g_uint_checked_add(&tmp, start_id, count)
+ || start_id + count > s->snd_conf.streams) {
+ error_report("pcm info: start_id + count is greater than the total "
+ "number of streams, got: start_id = %u, count = %u",
+ start_id, count);
+ cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
+ return;
+ }
+
+ /*
+ * 5.14.6.2 Driver Requirements: Item Information Request
+ * "The driver MUST provide a buffer of sizeof(struct virtio_snd_hdr) +
+ * count * size bytes for the response."
+ */
+ if (!g_uint_checked_mul(&tmp, size, count)
+ || !g_uint_checked_add(&tmp, tmp, sizeof(virtio_snd_hdr))
+ || iov_size(cmd->elem->in_sg, cmd->elem->in_num) <
+ sizeof(virtio_snd_hdr) + size * count) {
error_report("pcm info: buffer too small, got: %zu, needed: %zu",
iov_size(cmd->elem->in_sg, cmd->elem->in_num),
- sizeof(virtio_snd_pcm_info));
+ sizeof(virtio_snd_pcm_info) * count);
cmd->resp.code = cpu_to_le32(VIRTIO_SND_S_BAD_MSG);
return;
}