diff mbox

virtio-crypto: fix possible integer and heap overflow

Message ID 1483426203-16196-1-git-send-email-arei.gonglei@huawei.com
State New
Headers show

Commit Message

Gonglei (Arei) Jan. 3, 2017, 6:50 a.m. UTC 
Because the 'size_t' type is 4 bytes in 32-bit platform, which
is the same with 'int'. It's easy to make 'max_len' to zero when
integer overflow and then cause heap overflow if 'max_len' is zero.

Using uint_64 instead of size_t to avoid the integer overflow.

Cc: qemu-stable@nongnu.org
Reported-by: Li Qiang <liqiang6-s@360.cn>
Signed-off-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Li Qiang <liqiang6-s@360.cn>
---
 hw/virtio/virtio-crypto.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Gonglei (Arei) Jan. 9, 2017, 2:10 a.m. UTC | #1 
Hi Michael,

Ping...



Regards,
-Gonglei


> -----Original Message-----
> From: Gonglei (Arei)
> Sent: Tuesday, January 03, 2017 2:50 PM
> To: qemu-devel@nongnu.org
> Cc: mst@redhat.com; liqiang6-s@360.cn; Gonglei (Arei);
> qemu-stable@nongnu.org
> Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
> 
> Because the 'size_t' type is 4 bytes in 32-bit platform, which
> is the same with 'int'. It's easy to make 'max_len' to zero when
> integer overflow and then cause heap overflow if 'max_len' is zero.
> 
> Using uint_64 instead of size_t to avoid the integer overflow.
> 
> Cc: qemu-stable@nongnu.org
> Reported-by: Li Qiang <liqiang6-s@360.cn>
> Signed-off-by: Gonglei <arei.gonglei@huawei.com>
> Tested-by: Li Qiang <liqiang6-s@360.cn>
> ---
>  hw/virtio/virtio-crypto.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> index 978bb98..fc30bc3 100644
> --- a/hw/virtio/virtio-crypto.c
> +++ b/hw/virtio/virtio-crypto.c
> @@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
>      uint32_t hash_start_src_offset = 0, len_to_hash = 0;
>      uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
> 
> -    size_t max_len, curr_size = 0;
> +    uint64_t max_len, curr_size = 0;
>      size_t s;
> 
>      /* Plain cipher */
> @@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
>          return NULL;
>      }
> 
> -    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
> +    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len +
> hash_result_len;
>      if (unlikely(max_len > vcrypto->conf.max_size)) {
>          virtio_error(vdev, "virtio-crypto too big length");
>          return NULL;
> --
> 1.8.3.1
>
diff mbox

Patch

diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 978bb98..fc30bc3 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -416,7 +416,7 @@  virtio_crypto_sym_op_helper(VirtIODevice *vdev,
     uint32_t hash_start_src_offset = 0, len_to_hash = 0;
     uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
 
-    size_t max_len, curr_size = 0;
+    uint64_t max_len, curr_size = 0;
     size_t s;
 
     /* Plain cipher */
@@ -441,7 +441,7 @@  virtio_crypto_sym_op_helper(VirtIODevice *vdev,
         return NULL;
     }
 
-    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
+    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
     if (unlikely(max_len > vcrypto->conf.max_size)) {
         virtio_error(vdev, "virtio-crypto too big length");
         return NULL;