On Fri, Apr 17, 2026 at 03:26:44PM +0200, Stefano Garzarella wrote: > From: Stefano Garzarella <[email protected]> > > virtqueue_read_indirect_desc() copies an indirect descriptor table > into a buffer in chunks when the table crosses a memory region > boundary. The destination is a struct vring_desc pointer but is > advanced by a byte count, so each increment moves the pointer by > read_len elements instead of read_len bytes, writing beyond the > buffer. > > Use a char pointer for the destination so that the arithmetic > advances correctly. > > While at it, change the source from a struct vring_desc pointer > to a void pointer: when the table is split across regions, > vu_gpa_to_va() can return a pointer into the middle of a descriptor, > so casting it to a struct vring_desc pointer is wrong. The pointer is > only used as a memcpy() source, so a void pointer is fine. > > Fixes: CVE-2026-6425 > Fixes: 293084a719 ("libvhost-user: Support across-memory-boundary access") > Cc: [email protected] > Reported-by: DARKNAVY <[email protected]> > Signed-off-by: Stefano Garzarella <[email protected]> > --- > subprojects/libvhost-user/libvhost-user.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-)
Reviewed-by: Daniel P. Berrangé <[email protected]> With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
