On 2025/11/20 13:06, Dmitry Osipenko wrote:
Check hostmem mapping boundaries originated from guest.
Suggested-by: Akihiko Odaki <[email protected]>
Signed-off-by: Dmitry Osipenko <[email protected]>
---
hw/display/virtio-gpu-virgl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index a6860f63b563..cf1da4b79626 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -126,6 +126,14 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
return -EOPNOTSUPP;
}
+ if (offset + res->base.blob_size > b->conf.hostmem ||
+ offset + res->base.blob_size < offset) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: failed to map virgl resource: invalid offset\n",
+ __func__);
+ return -1;
The last returned error is -EOPNOTSUPP but this returns -1, which does
not look right.
QEMU should also return VIRTIO_GPU_RESP_ERR_INVALID_PARAMETER if this
check fails.
+ }
+
ret = virgl_renderer_resource_map(res->base.resource_id, &data, &size);
if (ret) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map virgl resource:
%s\n",
