DSAN warnings suggest invalid page accesses in prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c

Getting the following DSAN errors,

Code:

[    0.300325] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:83:10
[    0.300327] index 0 is out of range for type 'page *[*]'
[    0.300396] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:84:3
[    0.300397] index 0 is out of range for type 'page *[*]'
[    0.300448] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:86:10
[    0.300449] index 0 is out of range for type 'page *[*]'
[    0.300516] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:245:4
[    0.300517] index 0 is out of range for type 'page *[*]'
[    8.065926] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:143:21
[    8.065929] index 0 is out of range for type 'page *[*]'
[    8.065983] UBSAN: array-index-out-of-bounds in /var/lib/dkms/parallels-tools/19.4.1.54985/build/prl_tg/Toolgate/Guest/Linux/prl_tg/prltg_call.c:242:25
[    8.065984] index 0 is out of range for type 'page *[*]'

Checking the Parallels Tools module source, it does look like there's an error where loops start from 0, which cause attempting to act on index 0 on a index of pages.

ie, prltg_call.c:84:3 and 86:10 refer to this loop

Code:

        for (i = 0; i < count; i++, mem += PAGE_SIZE, uple->count++) {
                dma_addr_t addr;

                uple->p[i] = vmalloc_to_page(mem);
                page_cache_get(uple->p[i]);

                addr = dma_map_page(prl_tg_get_device_from_pci_device(pdev), uple->p[i], 0, PAGE_SIZE,
                                    DMA_BIDIRECTIONAL);
                dst->RequestPages[i] = dma_addr_to_pfn(addr);
                if (!dst->RequestPages[i]) {
                        page_cache_release(uple->p[i]);
                        goto err;
                }
        }

This *might* be introducing access to unauthorised pages, so should probably be audited to make sure it is not a security hole, and is correct behaviour.

 

Thanks for posting. I ran into a similar issue:
https://forum.parallels.com/threads/ubsan-array-index-out-of-bounds-error-in-prl_fs-file-c.365018/

 

I observe the same issue on Ubuntu-25.04. It makes Parallels driver unusable (shared folders feature does not work).

Code:

[    6.217435] ------------[ cut here ]------------
[    6.217435] UBSAN: array-index-out-of-bounds in prltg_call.c:245:4
[    6.217568] index 0 is out of range for type 'page *[*]'
[    6.217699] CPU: 0 UID: 0 PID: 2245 Comm: prltoolsd Tainted: P        W  OE      6.14.0-16-generic #16-Ubuntu
[    6.217700] Tainted: [P]=PROPRIETARY_MODULE, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[    6.217700] Hardware name: Parallels International GmbH. Parallels ARM Virtual Machine/Parallels ARM Virtual Platform, BIOS 20.2.2 (55879) Sat, 22 Feb 202
[    6.217700] Call trace:
[    6.217700]  show_stack+0x38/0xa0 (C)
[    6.217701]  dump_stack_lvl+0x84/0xc0
[    6.217702]  dump_stack+0x1c/0x40
[    6.217703]  ubsan_epilogue+0x14/0x60
[    6.217705]  __ubsan_handle_out_of_bounds+0xc4/0xe8
[    6.217705]  tg_req_unmap_pages+0x1ec/0x430 [prl_tg]
[    6.217706]  tg_req_destroy+0x50/0xb0 [prl_tg]
[    6.217707]  call_tg_sync_ex+0x48/0x88 [prl_tg]
[    6.217708]  prl_tg_write+0xe0/0x118 [prl_tg]
[    6.217709]  proc_reg_write+0xd4/0x160
[    6.217710]  vfs_write+0xe0/0x3b0
[    6.217711]  ksys_write+0x7c/0x138
[    6.217711]  __arm64_sys_write+0x28/0x58
[    6.217712]  invoke_syscall+0x70/0x120
[    6.217713]  el0_svc_common.constprop.0+0x4c/0x140
[    6.217714]  do_el0_svc+0x28/0x60
[    6.217715]  el0_svc+0x40/0x1a0
[    6.217717]  el0t_64_sync_handler+0x134/0x160
[    6.217718]  el0t_64_sync+0x1b8/0x1c0
[    6.217719] ---[ end trace ]---
[    6.307519] NET: Registered PF_QIPCRTR protocol family
[    7.236359] loop33: detected capacity change from 0 to 8
[   18.782732] rfkill: input handler disabled