Skip to content

netvsp: bounds-check RX buffer writes#3335

Open
erfrimod wants to merge 3 commits intomicrosoft:mainfrom
erfrimod:erfrimod/netvsp-rx-buffer-overflow-safety
Open

netvsp: bounds-check RX buffer writes#3335
erfrimod wants to merge 3 commits intomicrosoft:mainfrom
erfrimod:erfrimod/netvsp-rx-buffer-overflow-safety

Conversation

@erfrimod
Copy link
Copy Markdown
Contributor

GuestBuffers::write_at previously indexed into locked_pages without validating that offset + buf.len() fit within the locked page range. A misconfigured sub_allocation_size or an out-of-range RxId would panic.

  • Offset and buf.len() validated against locked-page size up front, returning a typed RxBufferWriteOverflow error on overflow.
  • The two callers (write_data and write_header) log tracelimited warnings.
  • Added unit test.

@erfrimod erfrimod requested a review from a team as a code owner April 20, 2026 21:47
Copilot AI review requested due to automatic review settings April 20, 2026 21:47
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds explicit bounds-checking for receive-buffer writes in netvsp to prevent panics from out-of-range offsets/lengths, returning a typed error and logging rate-limited warnings when writes would overflow.

Changes:

  • Introduces RxBufferWriteOverflow + check_rx_write_bounds to validate offset + len safely.
  • Updates GuestBuffers::write_at to return Result and validates against locked-page total size before writing.
  • Adds a unit test covering check_rx_write_bounds edge cases.

Comment thread vm/devices/net/netvsp/src/buffers.rs
Comment thread vm/devices/net/netvsp/src/buffers.rs Outdated
Comment thread vm/devices/net/netvsp/src/buffers.rs
Copy link
Copy Markdown
Member

@chris-oo chris-oo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM other than question about what the guest should see


fn write_data(&mut self, id: RxId, data: &[u8]) {
self.buffers.write_at(self.offset(id) + RX_HEADER_LEN, data);
if let Err(err) = self.buffers.write_at(self.offset(id) + RX_HEADER_LEN, data) {
Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does something need to get reported to the guest, or it's expected we just drop it on the floor?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We wouldn't drop the packet, the Guest would see an packet with an empty buffer. Better than crashing.

In practice, this won't happen unless OpenHCL is misconfigured. This is defense in depth, caught by a fuzzer test that does not check capacity before calling write_packet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants