From patchwork Sun Mar 17 09:09:48 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@163.com>
X-Patchwork-Id: 1057492
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=nongnu.org
	(client-ip=209.51.188.17; helo=lists.gnu.org;
	envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=163.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
	unprotected) header.d=163.com header.i=@163.com header.b="UzIxcT9F";
	dkim-atps=neutral
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 44MYdR6CtVz9s7h
	for <incoming@patchwork.ozlabs.org>;
	Sun, 17 Mar 2019 20:18:19 +1100 (AEDT)
Received: from localhost ([127.0.0.1]:52202 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1h5Rvt-0004X2-N8
	for incoming@patchwork.ozlabs.org; Sun, 17 Mar 2019 05:18:17 -0400
Received: from eggs.gnu.org ([209.51.188.92]:47942)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5Rny-00070u-Sn
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 05:10:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5Rnw-0004YM-Tn
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 05:10:06 -0400
Received: from m12-17.163.com ([220.181.12.17]:51891)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5Rnv-0004Vv-EI
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 05:10:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:Subject:Date:Message-Id; bh=AJb4NFYiUMKBNZU8af
	vLLQ46uhDbbj2wzZQQARDBCjM=; b=UzIxcT9FwpM3Ay8qCyFKK7PQ6/bgxFim8O
	hgivllXboF8W8+jmngfKK6UjK3cUXrAacKaIsXbY+mjSYH7LsgFpZ2k5iiuqnH1u
	EzXgHDfL9IIdPS8NhwOgU4PGpSCfbIzrwXh7GdPWeJo8lntiS4yRSDBGbRe+Pyi0
	SD7Wm+nDE=
Received: from localhost.localdomain (unknown [115.206.1.253])
	by smtp13 (Coremail) with SMTP id EcCowACHTqbkDo5cCKywLA--.55193S2;
	Sun, 17 Mar 2019 17:09:57 +0800 (CST)
From: Li Qiang <liq3ea@163.com>
To: arei.gonglei@huawei.com
Date: Sun, 17 Mar 2019 02:09:48 -0700
Message-Id: <20190317090948.38023-1-liq3ea@163.com>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: EcCowACHTqbkDo5cCKywLA--.55193S2
X-Coremail-Antispam: 1Uf129KBjvdXoWrKr1UZr4fWr1DCFW3Zr48tFb_yoWkZFc_Gr
	W8uF95Kw409Fn2g3yDZrWfJrs5tFyxJr45KFWjkr4jqr13Jw43uanYyrn7Ars8uFsrKry5
	Crs5ur4UtF4IvjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
	9fnUUvcSsGvfC2KfnxnUUI43ZEXa7xRRKZX3UUUUU==
X-Originating-IP: [115.206.1.253]
X-CM-SenderInfo: 5oltjvrd6rljoofrz/1tbitBV6bVSIbCdSOQAAsK
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 220.181.12.17
Subject: [Qemu-devel] [PATCH] cryptodev-vhost-user: fix a oob access
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liq3ea@163.com>, qemu-devel@nongnu.org
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>

The 'queue_index' of create/close_session function
is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'.
This leads oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@163.com>
---
 backends/cryptodev-vhost-user.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c
index 1052a5d0e9..36a40eeb4d 100644
--- a/backends/cryptodev-vhost-user.c
+++ b/backends/cryptodev-vhost-user.c
@@ -236,6 +236,8 @@ static int64_t cryptodev_vhost_user_sym_create_session(
            CryptoDevBackendSymSessionInfo *sess_info,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                    backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;
@@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session(
            uint64_t session_id,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                   backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;