{"id":2196979,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2196979/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260216191213.2556073-16-dmitry.osipenko@collabora.com>","date":"2026-02-16T19:12:10","name":"[v17,15/18] virtio-gpu: Validate hostmem mapping offset","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"728a83b608626ebb05d8088053f84df1e4be6923","submitter":{"id":83453,"url":"http://patchwork.ozlabs.org/api/1.0/people/83453/?format=json","name":"Dmitry Osipenko","email":"dmitry.osipenko@collabora.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260216191213.2556073-16-dmitry.osipenko@collabora.com/mbox/","series":[{"id":492344,"url":"http://patchwork.ozlabs.org/api/1.0/series/492344/?format=json","date":"2026-02-16T19:11:55","name":"Support virtio-gpu DRM native context and MAP_FIXED API","version":17,"mbox":"http://patchwork.ozlabs.org/series/492344/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2196979/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=collabora.com header.i=dmitry.osipenko@collabora.com\n header.a=rsa-sha256 header.s=zohomail header.b=QrHH/M/Z;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fFCDF2Vsbz1xtN\n\tfor ; Tue, 17 Feb 2026 06:15:57 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1vs43b-0001ZH-M3; Mon, 16 Feb 2026 14:14:58 -0500","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1vs43J-00016G-Ht\n for qemu-devel@nongnu.org; Mon, 16 Feb 2026 14:14:39 -0500","from sender4-pp-f112.zoho.com ([136.143.188.112])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1vs43H-0003cl-4n\n for qemu-devel@nongnu.org; Mon, 16 Feb 2026 14:14:36 -0500","by mx.zohomail.com with SMTPS id 177126925933146.61990644785885;\n Mon, 16 Feb 2026 11:14:19 -0800 (PST)"],"ARC-Seal":"i=1; a=rsa-sha256; t=1771269260; cv=none;\n d=zohomail.com; s=zohoarc;\n b=H/Z/nuKiF+YpW2WKmEp7dyeD190js2UZvSuHfVzChHvtosg71j978f7RiwJFBi9Sxyes/MuoJMgmV64wRIDpgTVWMRb0RzNWcwzPE0dDatKfL3S92MriCOgzDyKphBG2HBOEJ9SJ3CsXRRTR6FFHOvRexucEO8dAej1OsSWqmv4=","ARC-Message-Signature":"i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;\n s=zohoarc; t=1771269260;\n h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To;\n bh=cZRQx4NZh6z59MAsL+uEWPok6i5r3bXHDoDlzrj55oE=;\n b=ZGJ2ZpoAEt+B6B1cryom89QkfNSGXGnIiKliuO56x09tMrFCdEmCZhf2VA+T2sAI3YqrbUeRFk91vBkrgPKpZQnQs90N16S/SOapals9eRVgax4NIyqx/jadJa8kbPrzTEDdEv7mg2REOXTklzwp6CUjencq4XRXj+1EBAYCagU=","ARC-Authentication-Results":"i=1; mx.zohomail.com;\n dkim=pass header.i=collabora.com;\n spf=pass smtp.mailfrom=dmitry.osipenko@collabora.com;\n dmarc=pass header.from=","DKIM-Signature":"v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1771269260;\n s=zohomail; d=collabora.com; i=dmitry.osipenko@collabora.com;\n h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;\n bh=cZRQx4NZh6z59MAsL+uEWPok6i5r3bXHDoDlzrj55oE=;\n b=QrHH/M/ZSEw9w5wvE3ihd+RrZlGpq5nOFTXhHRlI4IL6kmwT10oEksKSnPX5rTX0\n CfLakcUCSq+f8TS4OfAKDF8njtv1CDT+BlLXmdOyV8SbYPE6N8g8EVBR1HJSJRbYYEL\n N8Q7mW5P1xe+RBH1wCQ22bBC5lDf8/Fibfm3gjTU=","From":"Dmitry Osipenko ","To":"Akihiko Odaki ,\n Huang Rui ,\n =?utf-8?q?Marc-Andr=C3=A9_Lureau?= ,\n\t=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= ,\n Gerd Hoffmann ,\n =?utf-8?q?Alex_Benn=C3=A9e?= ,\n Pierre-Eric Pelloux-Prayer ,\n \"Michael S . Tsirkin\" , Paolo Bonzini ,\n Yiwei Zhang , Sergio Lopez Pascual ","Cc":"Gert Wollny , qemu-devel@nongnu.org,\n Gurchetan Singh , Alyssa Ross ,\n\t=?utf-8?q?Roger_Pau_Monn=C3=A9?= ,\n Alex Deucher ,\n Stefano Stabellini , =?utf-8?q?Christian_K?=\n\t=?utf-8?q?=C3=B6nig?= ,\n Xenia Ragiadakou ,\n Honglei Huang , Julia Zhang ,\n Chen Jiqian , Rob Clark ,\n Robert Beckett ","Subject":"[PATCH v17 15/18] virtio-gpu: Validate hostmem mapping offset","Date":"Mon, 16 Feb 2026 22:12:10 +0300","Message-ID":"<20260216191213.2556073-16-dmitry.osipenko@collabora.com>","X-Mailer":"git-send-email 2.52.0","In-Reply-To":"<20260216191213.2556073-1-dmitry.osipenko@collabora.com>","References":"<20260216191213.2556073-1-dmitry.osipenko@collabora.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-ZohoMailClient":"External","Received-SPF":"pass client-ip=136.143.188.112;\n envelope-from=dmitry.osipenko@collabora.com; helo=sender4-pp-f112.zoho.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Check hostmem mapping boundaries originated from guest.\n\nSuggested-by: Akihiko Odaki \nSigned-off-by: Dmitry Osipenko \n---\n hw/display/virtio-gpu-virgl.c | 10 ++++++++++\n 1 file changed, 10 insertions(+)","diff":"diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c\nindex 988171c0a414..7928e8d9d6f4 100644\n--- a/hw/display/virtio-gpu-virgl.c\n+++ b/hw/display/virtio-gpu-virgl.c\n@@ -791,6 +791,7 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g,\n struct virtio_gpu_resource_map_blob mblob;\n struct virtio_gpu_virgl_resource *res;\n struct virtio_gpu_resp_map_info resp;\n+ VirtIOGPUBase *b = VIRTIO_GPU_BASE(g);\n int ret;\n \n VIRTIO_GPU_FILL_CMD(mblob);\n@@ -804,6 +805,15 @@ static void virgl_cmd_resource_map_blob(VirtIOGPU *g,\n return;\n }\n \n+ if (mblob.offset + res->base.blob_size > b->conf.hostmem ||\n+ mblob.offset + res->base.blob_size < mblob.offset) {\n+ qemu_log_mask(LOG_GUEST_ERROR,\n+ \"%s: failed to map virgl resource: invalid offset\\n\",\n+ __func__);\n+ cmd->error = VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER;\n+ return;\n+ }\n+\n ret = virtio_gpu_virgl_map_resource_blob(g, res, mblob.offset);\n if (ret) {\n cmd->error = VIRTIO_GPU_RESP_ERR_UNSPEC;\n","prefixes":["v17","15/18"]}