On Mon, Mar 09, 2026 at 08:01:44PM +0100, Paolo Bonzini wrote: > If cpu_physical_memory_map() returns a length shorter than the one > that was passed into the function, writing the full out_len bytes > causes an access beyond the memory allocated to the guest; or in > the case of the MMIO bounce buffer, an out-of-bounds access in a > heap-allocated object. > > Add a check similar to the one already in handle_send_msg(), > and take the occasion to remove repeated computations of > recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the > code does not write past out_len bytes. >
Can you add Fixes: CVE-2026-3842 > Reported-by: Oleh Konko <https://github.com/1seal> > Reviewed-by: Daniel P. Berrangé <[email protected]> > Signed-off-by: Paolo Bonzini <[email protected]> > --- > hw/hyperv/syndbg.c | 23 +++++++++++------------ > 1 file changed, 11 insertions(+), 12 deletions(-) With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
