* [Qemu-devel] [PULL 0/1] device-tree queue
@ 2019-04-09 23:55 Alistair Francis
2019-04-09 23:55 ` Alistair Francis
2019-04-10 9:27 ` Peter Maydell
0 siblings, 2 replies; 5+ messages in thread
From: Alistair Francis @ 2019-04-09 23:55 UTC (permalink / raw)
To: qemu-devel, peter.maydell; +Cc: alistair23, Alistair Francis
The following changes since commit f151f8aca5cf5da24f6eb743a55a2233091ae532:
migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet() (2019-04-09 20:46:34 +0100)
are available in the Git repository at:
git@github.com:alistair23/qemu.git tags/pull-device-tree-20190409-1
for you to fetch changes up to 065e6298a75164b4347682b63381dbe752c2b156:
device_tree: Fix integer overflowing in load_device_tree() (2019-04-09 16:35:40 -0700)
----------------------------------------------------------------
Single device tree fix for 4.0
A single patch to avoid an overflow when loading device trees.
----------------------------------------------------------------
Markus Armbruster (1):
device_tree: Fix integer overflowing in load_device_tree()
device_tree.c | 4 ++++
1 file changed, 4 insertions(+)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 1/1] device_tree: Fix integer overflowing in load_device_tree()
@ 2019-04-09 23:55 ` Alistair Francis
0 siblings, 0 replies; 5+ messages in thread
From: Alistair Francis @ 2019-04-09 23:55 UTC (permalink / raw)
To: qemu-devel, peter.maydell
Cc: alistair23, Markus Armbruster, Kurtis Miller,
Philippe Mathieu-Daudé,
Alistair Francis
From: Markus Armbruster <armbru@redhat.com>
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20190409174018.25798-1-armbru@redhat.com>
---
device_tree.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/device_tree.c b/device_tree.c
index 296278e12a..f8b46b3c73 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
filename_path);
goto fail;
}
+ if (dt_size > INT_MAX / 2 - 10000) {
+ error_report("Device tree file '%s' is too large", filename_path);
+ goto fail;
+ }
/* Expand to 2x size to give enough room for manipulation. */
dt_size += 10000;
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Qemu-devel] [PULL 1/1] device_tree: Fix integer overflowing in load_device_tree()
@ 2019-04-09 23:55 ` Alistair Francis
0 siblings, 0 replies; 5+ messages in thread
From: Alistair Francis @ 2019-04-09 23:55 UTC (permalink / raw)
To: qemu-devel, peter.maydell
Cc: alistair23, Alistair Francis, Kurtis Miller,
Philippe Mathieu-Daudé,
Markus Armbruster
From: Markus Armbruster <armbru@redhat.com>
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Reported-by: Kurtis Miller <kurtis.miller@nccgroup.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Message-Id: <20190409174018.25798-1-armbru@redhat.com>
---
device_tree.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/device_tree.c b/device_tree.c
index 296278e12a..f8b46b3c73 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
filename_path);
goto fail;
}
+ if (dt_size > INT_MAX / 2 - 10000) {
+ error_report("Device tree file '%s' is too large", filename_path);
+ goto fail;
+ }
/* Expand to 2x size to give enough room for manipulation. */
dt_size += 10000;
--
2.21.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/1] device-tree queue
@ 2019-04-10 9:27 ` Peter Maydell
0 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2019-04-10 9:27 UTC (permalink / raw)
To: Alistair Francis; +Cc: qemu-devel, alistair23
On Wed, 10 Apr 2019 at 00:55, Alistair Francis <Alistair.Francis@wdc.com> wrote:
>
> The following changes since commit f151f8aca5cf5da24f6eb743a55a2233091ae532:
>
> migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet() (2019-04-09 20:46:34 +0100)
>
> are available in the Git repository at:
>
> git@github.com:alistair23/qemu.git tags/pull-device-tree-20190409-1
>
> for you to fetch changes up to 065e6298a75164b4347682b63381dbe752c2b156:
>
> device_tree: Fix integer overflowing in load_device_tree() (2019-04-09 16:35:40 -0700)
>
> ----------------------------------------------------------------
> Single device tree fix for 4.0
>
> A single patch to avoid an overflow when loading device trees.
>
> ----------------------------------------------------------------
> Markus Armbruster (1):
> device_tree: Fix integer overflowing in load_device_tree()
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/4.0
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Qemu-devel] [PULL 0/1] device-tree queue
@ 2019-04-10 9:27 ` Peter Maydell
0 siblings, 0 replies; 5+ messages in thread
From: Peter Maydell @ 2019-04-10 9:27 UTC (permalink / raw)
To: Alistair Francis; +Cc: alistair23, qemu-devel
On Wed, 10 Apr 2019 at 00:55, Alistair Francis <Alistair.Francis@wdc.com> wrote:
>
> The following changes since commit f151f8aca5cf5da24f6eb743a55a2233091ae532:
>
> migration/ram.c: Fix use-after-free in multifd_recv_unfill_packet() (2019-04-09 20:46:34 +0100)
>
> are available in the Git repository at:
>
> git@github.com:alistair23/qemu.git tags/pull-device-tree-20190409-1
>
> for you to fetch changes up to 065e6298a75164b4347682b63381dbe752c2b156:
>
> device_tree: Fix integer overflowing in load_device_tree() (2019-04-09 16:35:40 -0700)
>
> ----------------------------------------------------------------
> Single device tree fix for 4.0
>
> A single patch to avoid an overflow when loading device trees.
>
> ----------------------------------------------------------------
> Markus Armbruster (1):
> device_tree: Fix integer overflowing in load_device_tree()
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/4.0
for any user-visible changes.
-- PMM
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-04-10 9:29 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-09 23:55 [Qemu-devel] [PULL 0/1] device-tree queue Alistair Francis
2019-04-09 23:55 ` [Qemu-devel] [PULL 1/1] device_tree: Fix integer overflowing in load_device_tree() Alistair Francis
2019-04-09 23:55 ` Alistair Francis
2019-04-10 9:27 ` [Qemu-devel] [PULL 0/1] device-tree queue Peter Maydell
2019-04-10 9:27 ` Peter Maydell
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.