From patchwork Tue Jan 3 06:50:03 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Gonglei (Arei)" X-Patchwork-Id: 9494489 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A604D606A7 for ; Tue, 3 Jan 2017 06:51:14 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 99C6D25E13 for ; Tue, 3 Jan 2017 06:51:14 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8E60C2679B; Tue, 3 Jan 2017 06:51:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id A8A78269DA for ; Tue, 3 Jan 2017 06:51:11 +0000 (UTC) Received: from localhost ([::1]:60502 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOIw9-0004gp-Bs for patchwork-qemu-devel@patchwork.kernel.org; Tue, 03 Jan 2017 01:51:09 -0500 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57022) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOIvn-0004fn-US for qemu-devel@nongnu.org; Tue, 03 Jan 2017 01:50:49 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOIvk-0001DC-1k for qemu-devel@nongnu.org; Tue, 03 Jan 2017 01:50:48 -0500 Received: from szxga01-in.huawei.com ([58.251.152.64]:16779) by eggs.gnu.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.71) (envelope-from ) id 1cOIvj-00019h-3z; Tue, 03 Jan 2017 01:50:43 -0500 Received: from 172.24.1.137 (EHLO szxeml433-hub.china.huawei.com) ([172.24.1.137]) by szxrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DXI70553; Tue, 03 Jan 2017 14:50:17 +0800 (CST) Received: from localhost (10.177.18.62) by szxeml433-hub.china.huawei.com (10.82.67.210) with Microsoft SMTP Server id 14.3.235.1; Tue, 3 Jan 2017 14:50:07 +0800 From: Gonglei To: Date: Tue, 3 Jan 2017 14:50:03 +0800 Message-ID: <1483426203-16196-1-git-send-email-arei.gonglei@huawei.com> X-Mailer: git-send-email 2.8.2.windows.1 MIME-Version: 1.0 X-Originating-IP: [10.177.18.62] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0207.586B49AE.0142, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 2c3061be5c9a5e462a1a35ec1ddb56e3 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy] X-Received-From: 58.251.152.64 Subject: [Qemu-devel] [PATCH] virtio-crypto: fix possible integer and heap overflow X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gonglei , liqiang6-s@360.cn, qemu-stable@nongnu.org, mst@redhat.com Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP Because the 'size_t' type is 4 bytes in 32-bit platform, which is the same with 'int'. It's easy to make 'max_len' to zero when integer overflow and then cause heap overflow if 'max_len' is zero. Using uint_64 instead of size_t to avoid the integer overflow. Cc: qemu-stable@nongnu.org Reported-by: Li Qiang Signed-off-by: Gonglei Tested-by: Li Qiang --- hw/virtio/virtio-crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 978bb98..fc30bc3 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, uint32_t hash_start_src_offset = 0, len_to_hash = 0; uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - size_t max_len, curr_size = 0; + uint64_t max_len, curr_size = 0; size_t s; /* Plain cipher */ @@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, return NULL; } - max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; if (unlikely(max_len > vcrypto->conf.max_size)) { virtio_error(vdev, "virtio-crypto too big length"); return NULL;