{"id":2224226,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2224226/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260417-virtio-fixups-v2-2-4a0d8636a628@linaro.org/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260417-virtio-fixups-v2-2-4a0d8636a628@linaro.org>","list_archive_url":null,"date":"2026-04-17T05:10:10","name":"[v2,2/2] virtio-snd: check for overflow before g_malloc0","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"91f3c69510feaae3ed24576e7477a25249acf46a","submitter":{"id":86526,"url":"http://patchwork.ozlabs.org/api/1.2/people/86526/?format=json","name":"Manos Pitsidianakis","email":"manos.pitsidianakis@linaro.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260417-virtio-fixups-v2-2-4a0d8636a628@linaro.org/mbox/","series":[{"id":500238,"url":"http://patchwork.ozlabs.org/api/1.2/series/500238/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=500238","date":"2026-04-17T05:10:09","name":"More virtio-snd fortifications/coverity fixes","version":2,"mbox":"http://patchwork.ozlabs.org/series/500238/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2224226/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2224226/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=zQgFPCtW;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxjfK0VvQz1yDF\n\tfor ; Fri, 17 Apr 2026 15:11:37 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wDbTH-0006rf-0e; Fri, 17 Apr 2026 01:10:27 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wDbTE-0006qe-77\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:24 -0400","from mail-wr1-x42c.google.com ([2a00:1450:4864:20::42c])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.90_1) (envelope-from )\n id 1wDbTB-0002O0-BX\n for qemu-devel@nongnu.org; Fri, 17 Apr 2026 01:10:22 -0400","by mail-wr1-x42c.google.com with SMTP id\n ffacd0b85a97d-43cfbd17589so162046f8f.0\n for ; Thu, 16 Apr 2026 22:10:19 -0700 (PDT)","from [127.0.1.1] (athedsl-4440559.home.otenet.gr. [79.129.177.223])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4e3a18csm1749524f8f.20.2026.04.16.22.10.16\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 16 Apr 2026 22:10:17 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1776402618; x=1777007418; darn=nongnu.org;\n h=cc:to:in-reply-to:references:message-id:content-transfer-encoding\n :mime-version:subject:date:from:from:to:cc:subject:date:message-id\n :reply-to; bh=MO94xCcoU6UDdF1hpEURZaIY79fEZkBmJ9yGiyO6ciM=;\n b=zQgFPCtWQiiRRbUxfInQ6E3PsqEjv7L6smopFhJN1oMgLXm062fbK2GUoiNMX5+aBG\n 32BDrDxyt4x+IsSGIsnPZu0qx/Z42zRyA4CXT70PMVNkjEg6ZkcWoFVALR3uuK5vMk6S\n xPjvHDZ1UR4orNhpFiz9daesFlAdZE1pCNlfz0UjgwK060DfEQFQ76xu/Mo/g8FJS0N6\n zfv048eusQrLoreEYUXZbvL06tn3Y/yG7x2NaMr8u7qWR4hD/tv5BiMufXiy2s9Mgvfr\n OcwvoHCRR6fP8hW/q4ohs2gM+nk+APNLfC355oHGLBJsyl5LPUjfxR2u97sZQDl9ymvW\n 4H5g==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776402618; x=1777007418;\n h=cc:to:in-reply-to:references:message-id:content-transfer-encoding\n :mime-version:subject:date:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=MO94xCcoU6UDdF1hpEURZaIY79fEZkBmJ9yGiyO6ciM=;\n b=QUa9KkF4/3DgfCCMdB16CxpSLwIKQ6zBCbGl6LffJnUjS4Sw6kzex7gRqofOs60d2i\n 0Hf4Q52fC0nUyOMCbVfKohnA1Nb3EEYNZFBWquNQnuDIJ9bZrqeq32/0smVxh8oETi6+\n zYsdRnMzRACG05h0ncP8Y+YHHWNOyQMG3rgSd4eLbP59nphJA6lVQokU2smZZxPd7zoQ\n dL7YEHcs+nKXWMFyrHND8DTEOGR2MxWoaAPPIBFxqHSOJOF1nCLM0eBTYTetmbWW/oWA\n mLgh15tI7Gwwd2+y4jJrKnDsTajMz1yksznekEyHiF8DsnCMjKS27IsMx2LS1Gikp5i5\n DosA==","X-Gm-Message-State":"AOJu0YzClkvT135vPMBkkHkvsL8gB88H8INyjNMKHyyyA9PzE5qEu8fZ\n JRIHN+KX9aCZ84j8HXdmz5g/gur0VXvjyBOsBPaq1D6rZmz8HffhV/r0gAIT+0AW1xCWNAVirGo\n oh0mdG4g=","X-Gm-Gg":"AeBDievETTI27Jv7MtlaP8fuAqu4jMtCcp9dkBBSTGY2DZS0XiIqTSlzMBolD34jzYP\n IOAuSuenaTieUgTF9OSjco3Vx+pFbooFfWiLJpZK5iGufhVjMkEiEp4J34JBEEHpgZM3cjgOGaD\n 5/Vx7Do31qRnJQ8AjU8mBXEKYUGlHy8bBb+KnfY7w7WaOMKN6DjAbfNcdMUqoHDl3zC3SZeFNOr\n 8tHVR1DqcRIKS0dmATjSX13kDxRJQ6FHKtlT6Rn7OwGGyCrDx8NRl2nv3cSOhikT2pMLQmAfZug\n 95xqrAlw2sVaQPj7808JOi5IYFqAVdA1q2/idx+GzEmEdgaAOBOrW7SJSpjxWN7k1iPUvmfvlUg\n gqbd+1W7nn2QNpMRH95FiNRxhkRSui7qZiLdShys/SVyLAvM9a5REkRdaSNb6R3dojnmNHOYCEI\n 6gGHJF5Du7N0LM2suKDeiZJd/7L10boqVLpkKLU9h9L3eFCZ0NcOP0fJEgw5EVtk+qvZKqpYpct\n eoDzgFuZEwEh9HgDc/t6xR7IvX6FAUDvoETLIuMecU71gy7c+yW9s4EKDHXgw==","X-Received":"by 2002:adf:fcc9:0:b0:43f:e4f1:bd9b with SMTP id\n ffacd0b85a97d-43fe4f1bdf7mr467208f8f.30.1776402617728;\n Thu, 16 Apr 2026 22:10:17 -0700 (PDT)","From":"Manos Pitsidianakis ","Date":"Fri, 17 Apr 2026 08:10:10 +0300","Subject":"[PATCH v2 2/2] virtio-snd: check for overflow before g_malloc0","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"7bit","Message-Id":"<20260417-virtio-fixups-v2-2-4a0d8636a628@linaro.org>","References":"<20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org>","In-Reply-To":"<20260417-virtio-fixups-v2-0-4a0d8636a628@linaro.org>","To":"qemu-devel@nongnu.org","Cc":"Gerd Hoffmann , \"Michael S. Tsirkin\" ,\n\t=?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= , =?utf-8?q?Alex?=\n\t=?utf-8?q?_Benn=C3=A9e?= ,\n Richard Henderson , qemu-stable@nongnu.org,\n Manos Pitsidianakis ","X-Mailer":"b4 0.14.2","X-Developer-Signature":"v=1; a=openpgp-sha256; l=2754;\n i=manos.pitsidianakis@linaro.org; h=from:subject:message-id;\n bh=Bq62Ohx1DaKj6RUXlcem2LCLdDkwbtcNdp7LNhLzatg=;\n b=LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tCgpvd0VCYlFLUy9aQU5Bd0FLQVhjcHgzQi9mZ\n 25RQWNzbVlnQnA0Y0MyRWNoUE1oRWVSZ1hZTGg3UndTMHJlS0xaClc3U1hFWG0vbVNrSUJTM3dZ\n VWFKQWpNRUFBRUtBQjBXSVFUTVhCdE9SS0JXODRkd0hSQjNLY2R3ZjM0SjBBVUMKYWVIQXRnQUt\n DUkIzS2Nkd2YzNEowTGNrRUFDTEt1THlOdnZ3YXVtUEhUWnB4MWk3MHRHTGovRUxzL3RuSnJZZg\n pKTHhJcXhpbWZFWW14VDc0Ujd0YUhMdDhWb2c4dmxVT0hicWVpYUswN2U2TTJQdlorZlY3bjhXd\n Vphb3JERzQvClNxZnNzSzdkdUNQVmRGbm5YNzJMWVdWYkVOQTk3a2dWdG9NV01yWkdHV3AxZUhQ\n Z2dzV1JrRFlSMVhBWGhLUnUKUktYcmZnM0hGbG9EbnZPOTZkdVI1aEVtTjUxQWFzUVpqcjY5SEN\n OWGdQV0N2blI0TlB6a0Q3SXQ5blU5MmdOSApkajlHK0FZcXI2UHdUTGMvUjUrN1UwTHQrMWhxOU\n JwKzVSOTc0OFBoNC9mWXNJMkdkQm1hdGNvb2hwNHZELzMrCjhBTVBZaG5DMXBCd00yY3JrOVhGM\n 2lvQzUvS3h4T3YxOXlUS0orY29xZk9iL0lMcHlIREpCQlBtSE4vWkpTUXUKSm4wSU11aUdDdENu\n dDNGaDhQMTkrNzNkYlVnVmFOYkVSTlZ3N1YwdnJ1Vm9MMmlJL3R2VzVTOVlCS1BBbmRBWQpsTEh\n aUFl0ZldDT1lqMGdUV0dzQVFwK0l6QzNQMTRDL3lLNTlVeUdTeHhIN1RrUHhEVFdwWXozWEdyc1\n Y0OGprCnNqYWI0R1IvOExtdnpXR1JZdFJOVmFUMDMrNjZWWEpSbXlPTUVDQVJBcGFOclZ6WHlOR\n ERtL3lHUk5sY1J3L1IKTEV3V3dITFdIbTZPOHkyelp1alA5aVFsM3VsdnFLZEx2MHdjbTBZeTAv\n SDB1NGxpbXM4cjBibDByVlJvUWtWcwpROUJOYzRkaElMUmRyemZYRW5JOWFvOU1SS0JJNEswVGx\n xSnNYaWNvTE9SbjlnZE5qeXIxbUJHUUpPc1dteUZWCmJRVUhSdz09Cj02YWl2Ci0tLS0tRU5EIF\n BHUCBNRVNTQUdFLS0tLS0K","X-Developer-Key":"i=manos.pitsidianakis@linaro.org; a=openpgp;\n fpr=7C721DF9DB3CC7182311C0BF68BC211D47B421E1","Received-SPF":"pass client-ip=2a00:1450:4864:20::42c;\n envelope-from=manos.pitsidianakis@linaro.org; helo=mail-wr1-x42c.google.com","X-Spam_score_int":"-20","X-Spam_score":"-2.1","X-Spam_bar":"--","X-Spam_report":"(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Coverity points out one g_malloc0 overflow, but it seems to be a false\npositive. Add a check to it regardless to fortify the code, and also add\nchecks for every other g_malloc0 use.\n\nSigned-off-by: Manos Pitsidianakis \n---\n hw/audio/virtio-snd.c | 16 ++++++++++++----\n 1 file changed, 12 insertions(+), 4 deletions(-)","diff":"diff --git a/hw/audio/virtio-snd.c b/hw/audio/virtio-snd.c\nindex 93fbcfb43f7fdcfd5c164b496015da743822f5eb..694bcebb60f6c866346470672cc798b3271ae34f 100644\n--- a/hw/audio/virtio-snd.c\n+++ b/hw/audio/virtio-snd.c\n@@ -850,7 +850,7 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n VirtIOSound *vsnd = VIRTIO_SND(vdev);\n VirtIOSoundPCMBuffer *buffer;\n VirtQueueElement *elem;\n- size_t msg_sz, size;\n+ size_t msg_sz, size, tmp;\n virtio_snd_pcm_xfer hdr;\n uint32_t stream_id;\n /*\n@@ -880,6 +880,8 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n if (msg_sz != sizeof(virtio_snd_pcm_xfer)) {\n goto tx_err;\n }\n+ assert(iov_size(elem->out_sg, elem->out_num) >= msg_sz);\n+ size = iov_size(elem->out_sg, elem->out_num) - msg_sz;\n stream_id = le32_to_cpu(hdr.stream_id);\n \n if (stream_id >= vsnd->snd_conf.streams\n@@ -892,9 +894,11 @@ static void virtio_snd_handle_tx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n goto tx_err;\n }\n \n+ /* Check for g_malloc0 overflow. */\n+ if (!g_size_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size)) {\n+ goto tx_err;\n+ }\n WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n- size = iov_size(elem->out_sg, elem->out_num) - msg_sz;\n-\n buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);\n buffer->elem = elem;\n buffer->populated = false;\n@@ -932,7 +936,7 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n VirtIOSound *vsnd = VIRTIO_SND(vdev);\n VirtIOSoundPCMBuffer *buffer;\n VirtQueueElement *elem;\n- size_t msg_sz, size;\n+ size_t msg_sz, size, tmp;\n virtio_snd_pcm_xfer hdr;\n uint32_t stream_id;\n /*\n@@ -977,6 +981,10 @@ static void virtio_snd_handle_rx_xfer(VirtIODevice *vdev, VirtQueue *vq)\n goto rx_err;\n }\n size -= sizeof(virtio_snd_pcm_status);\n+ /* Check for g_malloc0 overflow. */\n+ if (!g_size_checked_add(&tmp, sizeof(VirtIOSoundPCMBuffer), size)) {\n+ goto rx_err;\n+ }\n WITH_QEMU_LOCK_GUARD(&stream->queue_mutex) {\n buffer = g_malloc0(sizeof(VirtIOSoundPCMBuffer) + size);\n buffer->elem = elem;\n","prefixes":["v2","2/2"]}