[{"id":3678729,"web_url":"http://patchwork.ozlabs.org/comment/3678729/","msgid":"<87h5p9ravi.fsf@draig.linaro.org>","list_archive_url":null,"date":"2026-04-17T13:10:09","subject":"Re: [PATCH 1/2] virtio-snd: check rx buffer descriptor size","submitter":{"id":39532,"url":"http://patchwork.ozlabs.org/api/people/39532/","name":"Alex Bennée","email":"alex.bennee@linaro.org"},"content":"Manos Pitsidianakis writes:\n\n> It must be at least sizeof(virtio_snd_pcm_status).\n>\n> I haven't verified if it's possible to get an underflow, but coverity\n> points it out so add a check.\n>\n> Signed-off-by: Manos Pitsidianakis \n\nReviewed-by: Alex Bennée \n\n> ---\n> hw/audio/virtio-snd.c | 8 +++++---\n> 1 file changed, 5 insertions(+), 3 deletions(-)\n>\n> diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c\n> index fb5cff386606d03e5cfce88f79e404e510bbcde7..93fbcfb43f7fdcfd5c164b496015da743822f5eb 100644\n> --- a/hw/audio/virtio-snd.c\n> +++ b/hw/audio/virtio-snd.c\n> @@ -970,12 +970,14 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n> }\n> \n> stream = vsnd->pcm.streams[stream_id];\n> - if (stream == NULL || stream->info.direction != VIRTIO_SND_D_INPUT) {\n> + size = iov_size(elem->in_sg, elem->in_num);\n> + if (stream == NULL\n> + || stream->info.direction != VIRTIO_SND_D_INPUT\n> + || size < sizeof(virtio_snd_pcm_status)) {\n> goto rx_err;\n> }\n> + size -= sizeof(virtio_snd_pcm_status);\n> WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n> - size = iov_size(elem->in_sg, elem->in_num) -\n> - sizeof(virtio_snd_pcm_status);\n> buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);\n> buffer->elem = elem;\n> buffer->vq = vq;","headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=VvJL4fQp;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxwHj08S6z1yD3\n\tfor ; Fri, 17 Apr 2026 23:11:13 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wDixt-000107-4B; Fri, 17 Apr 2026 09:10:33 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wDixa-0000tv-Co\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 09:10:20 -0400","from mail-wr1-x433.google.com ([2a00:1450:4864:20::433])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wDixY-0004W7-Ru\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 09:10:14 -0400","by mail-wr1-x433.google.com with SMTP id\n ffacd0b85a97d-43d73352cf2so572850f8f.1\n for ; Fri, 17 Apr 2026 06:10:12 -0700 (PDT)","from draig.lan ([185.124.0.195]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4cc0f31sm4536601f8f.12.2026.04.17.06.10.10\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 06:10:10 -0700 (PDT)","from draig (localhost [IPv6:::1])\n by draig.lan (Postfix) with ESMTP id AA6445F94F;\n Fri, 17 Apr 2026 14:10:09 +0100 (BST)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776431411; x=1777036211; darn=nongnu.org;\n h=content-transfer-encoding:mime-version:message-id:date:user-agent\n :references:in-reply-to:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=fE6cmIgEX/iCBz9+S+LNj8O9wv7bHj0X353rhMnTYrw=;\n b=VvJL4fQpCvPJe6AalYIimgWdYbUcKPnxIs6+ACXanKiRtQPCUH4kEJIKf0ZK4Mxds+\n iOWTl9iUDPnvt+MU0utk2IH0Q4g26+CB+Yu0bh29eTp2r6XHAY4t/CwPXGxTeL5ETn+4\n +Qg1rNuCd5isw5+6r2SVTPkupMmFaBv6S9d+2mVJywVVaDe9aeFFw67DVB9SVlP7D1Sz\n HPKBSE8orBk1s3lzpJE4y7d0di6M/j7AYPmqQ5J+2q/k5Fl+a/LMpJfMHRkJxF76jysf\n MIuPQUAf0UghAvUByhemdFQc8iOxieRsP2Zhh7gPV5PZgdeRt5r7+d4ou1MgI9twboZy\n g1Ew==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776431411; x=1777036211;\n h=content-transfer-encoding:mime-version:message-id:date:user-agent\n :references:in-reply-to:subject:cc:to:from:x-gm-gg\n :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;\n bh=fE6cmIgEX/iCBz9+S+LNj8O9wv7bHj0X353rhMnTYrw=;\n b=qvgqaTGck241pZEfz3zJD7Mqvj+bS6Xk/+Afiv6aU6nZVLUhvoKIK/wAv6bEt3vTD9\n BePpVYhvhnkHqAK9lvHp8zWUERYijeAIsEk5VJ0zGyJ5hPasDmn4dD5E/eUzHuyx0EjJ\n rwWvNDq2Y+wCSXNGnszw3k5eSjJDCbNvP3Uro6ADeLW1s93JOqgahoNSjtIV80gii8Mf\n pafweGrUn0++aJPigm/Jxav9AlniPWFccofw7aNn+25nU1M42Uls+lJcW6SmeQyFirel\n LDEn24PYVdWTacPAxLQhdK/AOATP+CPtIKKGwfbzkH/86hC4PsladqXX9kovtsDNefwE\n UbKQ==","X-Gm-Message-State":"AOJu0YyryFd/8v+aupd4pqlsXv8YT7e66tfuyX7lm/tr6Z0gfU4vncwl\n ahftCbeYjcV9/80yTJ/nadivXkGhNl/wQJ7R2p2jGT8FVTtnwpz/CU5TyOxnXmQyKmg=","X-Gm-Gg":"AeBDieuK1tv65jIlNBDhyWkIzPPPQb5eNIAHmhNRHcbg/rd/Nj12tqLY7do4RsJaGq3\n I3kC8xdvZy4gC5z+Z8Tzb0jW8Dv82ZRRadd5b/jCAlU6P2sctCNRQAieEepcYrZjAaV1qYLKoRu\n HYfYOlNAMItRiyXjUGDiJgOO569PadheIikwMOhl68RGP/W0QdxW2GXzzGqrxrWqgYkP3/LfhiX\n dcrw1OZygXHf9S1nFCJXNCPDAaH7WrQzLPiP10gRn5zPYT4Fum+j9kmfVZfRuTvAeiNOzJw+5+T\n emoRourfdbcgTXVqCCeTdYhSW88LB/oUG2IpaBONz0s5X2gcSkIODJTk306Y22Cm114RYdHdGmN\n tWiTyLqooW/uFXtMBkZMKwdJOofdhpYBh0EFZSRQC/LQf3vsL48wHClAxz9f4jttUmKP/MNJMue\n qGSStSt4nyYJh72m7JD1inOxCvYe0AQ1R4mw==","X-Received":"by 2002:a05:6000:381:b0:43b:5b25:67f8 with SMTP id\n ffacd0b85a97d-43fe3dd4ce6mr4296173f8f.20.1776431411149;\n Fri, 17 Apr 2026 06:10:11 -0700 (PDT)","From":"=?utf-8?q?Alex_Benn=C3=A9e?= ","To":"Manos Pitsidianakis ","Cc":"qemu-devel@nongnu.org, Gerd Hoffmann ,\n \"Michael S. Tsirkin\" , Philippe =?utf-8?q?Mathieu-Daud?=\n\t=?utf-8?q?=C3=A9?= , qemu-stable@nongnu.org","Subject":"Re: [PATCH 1/2] virtio-snd: check rx buffer descriptor size","In-Reply-To":"<20260416-virtio-fixups-v1-1-ec14e2de0852@linaro.org> (Manos\n Pitsidianakis's message of \"Thu, 16 Apr 2026 08:48:09 +0300\")","References":"<20260416-virtio-fixups-v1-0-ec14e2de0852@linaro.org>\n <20260416-virtio-fixups-v1-1-ec14e2de0852@linaro.org>","User-Agent":"mu4e 1.14.1-pre2; emacs 30.1","Date":"Fri, 17 Apr 2026 14:10:09 +0100","Message-ID":"<87h5p9ravi.fsf@draig.linaro.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Transfer-Encoding":"quoted-printable","Received-SPF":"pass client-ip=2a00:1450:4864:20::433;\n envelope-from=alex.bennee@linaro.org; helo=mail-wr1-x433.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"}}]