Commit bcb53328aa for qemu.org

commit bcb53328aa70023f1405fade4e253e7f77567261
Author: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Date:   Fri Feb 20 11:40:15 2026 +0200

    virtio-snd: fix max_size bounds check in input cb

    In 98e77e3d we calculated the max size and checked that each buffer is smaller than it.

    We neglected to subtract the size of the virtio_snd_pcm_status header
    from the max size, and max_size was thus larger than the correct value,
    leading to potential OOB writes.

    If the buffer cannot fit the header or can fit only the header, return
    the buffer immediately.

    Cc: qemu-stable@nongnu.org
    Fixes: 98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 ("virtio-snd: add max size bounds check in input cb")
    Reported-by: DARKNAVY <vr@darknavy.com>
    Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Message-Id: <20260220-virtio-snd-series-v1-4-207c4f7200a2@linaro.org>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index ae8bfbca43..d1a46d47bc 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -1265,6 +1265,12 @@ static void virtio_snd_pcm_in_cb(void *data, int available)
             }

             max_size = iov_size(buffer->elem->in_sg, buffer->elem->in_num);
+            if (max_size <= sizeof(virtio_snd_pcm_status)) {
+                return_rx_buffer(stream, buffer);
+                continue;
+            }
+            max_size -= sizeof(virtio_snd_pcm_status);
+
             for (;;) {
                 if (buffer->size >= max_size) {
                     return_rx_buffer(stream, buffer);