Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()

[Philippe Mathieu-Daudé]

On 4/9/19 10:08 PM, Peter Maydell wrote:
> On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <address@hidden> wrote:
>>
>> If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
>> computation of @dt_size overflows to a negative number, which then
>> gets converted to a very large size_t for g_malloc0() and
>> load_image_size().  In the (fortunately improbable) case g_malloc0()
>> succeeds and load_image_size() survives, we'd assign the negative
>> number to *sizep.  What that would do to the callers I can't say, but
>> it's unlikely to be good.
>>
>> Fix by rejecting images whose size would overflow.
>>
>> Signed-off-by: Markus Armbruster <address@hidden>
> 
> I think this patch is missing some attributions for the
> security researchers who found the issue initially.
> PJP's patch for this from a couple of weeks back has a
> reported-by credit:
> https://patchew.org/QEMU/address@hidden/

Oh I missed that thread while on PTO. This answers my "how did you
figure that out?" question :)

Thanks,

Phil.