Commit d0803a90c8 for qemu.org

commit d0803a90c8fa54c3867ab1ae4b9aee7e57d2e0d2
Author: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Date:   Wed Mar 4 16:50:39 2026 +0000

    virtio-gpu: Validate hostmem mapping offset

    Check hostmem mapping boundaries originated from guest.

    Suggested-by: Akihiko Odaki <odaki@rsg.ci.i.u-tokyo.ac.jp>
    Reviewed-by: Akihiko Odaki <akihiko.odaki@daynix.com>
    Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
    Message-ID: <20260303151422.977399-16-dmitry.osipenko@collabora.com>
    Message-ID: <20260304165043.1437519-18-alex.bennee@linaro.org>
    Signed-off-by: Alex Bennée <alex.bennee@linaro.org>

diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index abf7c176a6..f4d1113827 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -791,6 +791,7 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
     struct virtio_gpu_resource_map_blob mblob;
     struct virtio_gpu_virgl_resource *res;
     struct virtio_gpu_resp_map_info resp;
+    VirtIOGPUBase *b = VIRTIO_GPU_BASE(g);
     int ret;

     VIRTIO_GPU_FILL_CMD(mblob);
@@ -804,6 +805,15 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g,
         return;
     }

+    if (mblob.offset + res->base.blob_size > b->conf.hostmem ||
+        mblob.offset + res->base.blob_size < mblob.offset) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: failed to map virgl resource: invalid offset\n",
+                      __func__);
+        cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;
+        return;
+    }
+
     ret = virtio_gpu_virgl_map_resource_blob(g, res, mblob.offset);
     if (ret) {
         cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;