[Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands

From:	Michael Tokarev
Subject:	[Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands
Date:	Fri, 6 Sep 2024 14:12:21 +0300

From: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>

When setting the parameters of a PCM stream, we compute the bit flag
with the format and rate values as shift operand to check if they are
set in supported_formats and supported_rates.

If the guest provides a format/rate value which when shifting 1 results
in a value bigger than the number of bits in
supported_formats/supported_rates, we must report an error.

Previously, this ended up triggering the not reached assertions later
when converting to internal QEMU values.

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2416
Signed-off-by: Manos Pitsidianakis <manos.pitsidianakis@linaro.org>
Message-Id: <virtio-snd-fuzz-2416-fix-v1-manos.pitsidianakis@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
(cherry picked from commit 9b6083465fb8311f2410615f8303a41f580a2a20)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c
index 541f0797ac..2b80072b04 100644
--- a/hw/audio/virtio-snd.c
+++ b/hw/audio/virtio-snd.c
@@ -282,11 +282,13 @@ uint32_t virtio_snd_set_pcm_params(VirtIOSound *s,
         error_report("Number of channels is not supported.");
         return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
     }
-    if (!(supported_formats & BIT(params->format))) {
+    if (BIT(params->format) > sizeof(supported_formats) ||
+        !(supported_formats & BIT(params->format))) {
         error_report("Stream format is not supported.");
         return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
     }
-    if (!(supported_rates & BIT(params->rate))) {
+    if (BIT(params->rate) > sizeof(supported_rates) ||
+        !(supported_rates & BIT(params->rate))) {
         error_report("Stream rate is not supported.");
         return cpu_to_le32(VIRTIO_SND_S_NOT_SUPP);
     }
-- 
2.39.2

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-9.0.3 02/69] scsi: fix regression and honor bootindex again for legacy drives, (continued)
- [Stable-9.0.3 02/69] scsi: fix regression and honor bootindex again for legacy drives, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 04/69] target/arm: Fix handling of LDAPR/STLR with negative offset, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 05/69] target/arm: LDAPR should honour SCTLR_ELx.nAA, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 03/69] qapi/qom: Document feature unstable of @x-vfio-user-server, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 07/69] target/arm: Use FPST_F16 for SME FMOPA (widening), Michael Tokarev, 2024/09/06
- [Stable-9.0.3 08/69] hvf: arm: Do not advance PC when raising an exception, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 09/69] hw/nvme: fix memory leak in nvme_dsm, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 06/69] target/arm: Use float_status copy in sme_fmopa_s, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 10/69] hw/cxl/cxl-host: Fix segmentation fault when getting cxl-fmw property, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 12/69] virtio-snd: check for invalid param shift operands, Michael Tokarev <=
- [Stable-9.0.3 13/69] intel_iommu: fix FRCD construction macro, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 14/69] target/i386: do not crash if microvm guest uses SGX CPUID leaves, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 15/69] chardev/char-win-stdio.c: restore old console mode, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 16/69] hw/intc/loongson_ipi: Access memory in little endian, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 17/69] hw/intc/loongson_ipi: Fix resource leak, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 19/69] util/async.c: Forbid negative min/max in aio_context_set_thread_pool_params(), Michael Tokarev, 2024/09/06
- [Stable-9.0.3 18/69] target/loongarch: Fix helper_lddir() a CID INTEGER_OVERFLOW issue, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 22/69] target/rx: Use target_ulong for address in LI, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 21/69] hw/virtio: Fix the de-initialization of vhost-user devices, Michael Tokarev, 2024/09/06
- [Stable-9.0.3 20/69] Revert "qemu-char: do not operate on sources from finalize callbacks", Michael Tokarev, 2024/09/06

Prev by Date: [Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb
Next by Date: [Stable-9.0.3 13/69] intel_iommu: fix FRCD construction macro
Previous by thread: [Stable-9.0.3 11/69] virtio-snd: add max size bounds check in input cb
Next by thread: [Stable-9.0.3 13/69] intel_iommu: fix FRCD construction macro
Index(es):
- Date
- Thread