[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap
|
From: |
Michael Roth |
|
Subject: |
[Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap overflow |
|
Date: |
Mon, 20 Mar 2017 18:08:09 -0500 |
From: Gonglei <address@hidden>
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.
Using uint_64 instead of size_t to avoid the integer overflow.
Cc: address@hidden
Reported-by: Li Qiang <address@hidden>
Signed-off-by: Gonglei <address@hidden>
Tested-by: Li Qiang <address@hidden>
Reviewed-by: Michael S. Tsirkin <address@hidden>
Signed-off-by: Michael S. Tsirkin <address@hidden>
(cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4)
Signed-off-by: Michael Roth <address@hidden>
---
hw/virtio/virtio-crypto.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 2f2467e..c23e1ad 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
uint32_t hash_start_src_offset = 0, len_to_hash = 0;
uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- size_t max_len, curr_size = 0;
+ uint64_t max_len, curr_size = 0;
size_t s;
/* Plain cipher */
@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
return NULL;
}
- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
if (unlikely(max_len > vcrypto->conf.max_size)) {
virtio_error(vdev, "virtio-crypto too big length");
return NULL;
--
2.7.4
- [Qemu-devel] [PATCH 39/81] 9pfs: fix crash when fsdev is missing, (continued)
- [Qemu-devel] [PATCH 39/81] 9pfs: fix crash when fsdev is missing, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 42/81] scsi-block: fix direction of BYTCHK test for VERIFY commands, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 30/81] 9pfs: fix fd leak in local_opendir(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 33/81] 9pfs: fix O_PATH build break with older glibc versions, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 36/81] balloon: Don't balloon roms, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 46/81] exec: Add missing rcu_read_unlock, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 38/81] virtio: fix vq->inuse recalc after migr, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 43/81] ui/vnc: Fix problem with sending too many bytes as server name, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 50/81] tcg/aarch64: Fix addsub2 for 0+C, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 40/81] pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap overflow,
Michael Roth <=
- [Qemu-devel] [PATCH 48/81] x86: ioapic: fix fail migration when irqchip=split, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 53/81] virtio: fix up max size checks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 35/81] machine: Convert abstract typename on compat_props to subclass names, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 34/81] 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 47/81] display: cirrus: ignore source pitch value as needed in blit_is_unsafe, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 60/81] s390x/kvm: fix small race reboot vs. cmma, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 54/81] block/iscsi: avoid data corruption with cache=writeback, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 58/81] ahci: advertise HOST_CAP_64, Michael Roth, 2017/03/20