Check hostmem mapping boundaries originated from guest.
Suggested-by: Akihiko Odaki <[email protected]>
Signed-off-by: Dmitry Osipenko <[email protected]>
---
hw/display/virtio-gpu-virgl.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/hw/display/virtio-gpu-virgl.c b/hw/display/virtio-gpu-virgl.c
index a6860f63b563..2224f59cf5d7 100644
--- a/hw/display/virtio-gpu-virgl.c
+++ b/hw/display/virtio-gpu-virgl.c
@@ -126,6 +126,14 @@ virtio_gpu_virgl_map_resource_blob(VirtIOGPU *g,
return -EOPNOTSUPP;
}
+ if (offset + res->base.blob_size > b->conf.hostmem ||
+ offset + res->base.blob_size < offset) {
+ qemu_log_mask(LOG_GUEST_ERROR,
+ "%s: failed to map virgl resource: invalid offset\n",
+ __func__);
+ return -EINVAL;
+ }
+
ret = virgl_renderer_resource_map(res->base.resource_id, &data, &size);
if (ret) {
qemu_log_mask(LOG_GUEST_ERROR, "%s: failed to map virgl resource:
%s\n",
--
2.51.1
