Thanks Manos for sending this,
On Mon, Jul 08, 2024 at 10:09:49AM +0300, Manos Pitsidianakis wrote:
When reading input audio in the virtio-snd input callback,
virtio_snd_pcm_in_cb(), we do not check whether the iov can actually fit
the data buffer. This is because we use the buffer->size field as a
total-so-far accumulator instead of byte-size-left like in TX buffers.
This triggers an out of bounds write if the size of the virtio queue
element is equal to virtio_snd_pcm_status, which makes the available
space for audio data zero.
Do you mean that the guest driver has set up a request in the rx queue
in which the writable chain of descriptors only contains the status? Is
this correct? Is `available` indicating the available space in the
virtqueue?
Thanks, Matias.