* [Qemu-devel] [PATCH] virtio-crypto: fix possible integer and heap overflow
@ 2017-01-03 6:50 Gonglei
2017-01-09 2:10 ` Gonglei (Arei)
0 siblings, 1 reply; 2+ messages in thread
From: Gonglei @ 2017-01-03 6:50 UTC (permalink / raw)
To: qemu-devel; +Cc: mst, liqiang6-s, Gonglei, qemu-stable
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.
Using uint_64 instead of size_t to avoid the integer overflow.
Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Li Qiang <liqiang6-s@360.cn>
---
hw/virtio/virtio-crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 978bb98..fc30bc3 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- size_t max_len, curr_size = 0;
+ uint64_t max_len, curr_size = 0;
size_t s;
/* Plain cipher */
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
return NULL;
}
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
if (unlikely(max_len > vcrypto->conf.max_size)) {
virtio_error(vdev, "virtio-crypto too big length");
return NULL;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] [PATCH] virtio-crypto: fix possible integer and heap overflow
2017-01-03 6:50 [Qemu-devel] [PATCH] virtio-crypto: fix possible integer and heap overflow Gonglei
@ 2017-01-09 2:10 ` Gonglei (Arei)
0 siblings, 0 replies; 2+ messages in thread
From: Gonglei (Arei) @ 2017-01-09 2:10 UTC (permalink / raw)
To: Gonglei (Arei), qemu-devel; +Cc: mst, liqiang6-s, qemu-stable
Hi Michael,
Ping...
Regards,
-Gonglei
> -----Original Message-----
> From: Gonglei (Arei)
> Sent: Tuesday, January 03, 2017 2:50 PM
> To: qemu-devel@nongnu.org
> Cc: mst@redhat.com; liqiang6-s@360.cn; Gonglei (Arei);
> qemu-stable@nongnu.org
> Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
>
> Because the 'size_t' type is 4 bytes in 32-bit platform, which
> is the same with 'int'. It's easy to make 'max_len' to zero when
> integer overflow and then cause heap overflow if 'max_len' is zero.
>
> Using uint_64 instead of size_t to avoid the integer overflow.
>
> Cc: qemu-stable@nongnu.org
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> Tested-by: Li Qiang <liqiang6-s@360.cn>
> ---
> hw/virtio/virtio-crypto.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> index 978bb98..fc30bc3 100644
> --- a/hw/virtio/virtio-crypto.c
> +++ b/hw/virtio/virtio-crypto.c
> @@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
> uint32_t hash_start_src_offset = 0, len_to_hash = 0;
> uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
>
> - size_t max_len, curr_size = 0;
> + uint64_t max_len, curr_size = 0;
> size_t s;
>
> /* Plain cipher */
> @@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
> return NULL;
> }
>
> - max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
> + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len +
> hash_result_len;
> if (unlikely(max_len > vcrypto->conf.max_size)) {
> virtio_error(vdev, "virtio-crypto too big length");
> return NULL;
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-01-09 2:10 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-01-03 6:50 [Qemu-devel] [PATCH] virtio-crypto: fix possible integer and heap overflow Gonglei
2017-01-09 2:10 ` Gonglei (Arei)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.