On Thu, Mar 12, 2026 at 10:34:20PM +0300, Michael Tokarev wrote: > On 09.03.2026 22:01, Paolo Bonzini wrote: > > If cpu_physical_memory_map() returns a length shorter than the one > > that was passed into the function, writing the full out_len bytes > > causes an access beyond the memory allocated to the guest; or in > > the case of the MMIO bounce buffer, an out-of-bounds access in a > > heap-allocated object. > > > > Add a check similar to the one already in handle_send_msg(), > > and take the occasion to remove repeated computations of > > recv_byte_count + UDP_PKT_HEADER_SIZE and clarify that the > > code does not write past out_len bytes. > > > > Reported-by: Oleh Konko <https://github.com/1seal> > > Reviewed-by: Daniel P. Berrangé <[email protected]> > > Signed-off-by: Paolo Bonzini <[email protected]> > > I'm picking this up for qemu stable series. > Please let me know if I shouldn't :)
Yes, as a security fix it should go to stable too With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
