From patchwork Mon Mar 18 01:11:47 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Li Qiang <liq3ea@163.com>
X-Patchwork-Id: 10856737
Return-Path: 
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6ABD915AC
	for <patchwork-qemu-devel@patchwork.kernel.org>;
 Mon, 18 Mar 2019 01:12:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4E1E1291F9
	for <patchwork-qemu-devel@patchwork.kernel.org>;
 Mon, 18 Mar 2019 01:12:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 42A5A29200; Mon, 18 Mar 2019 01:12:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI autolearn=ham version=3.3.1
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id D2154291F9
	for <patchwork-qemu-devel@patchwork.kernel.org>;
 Mon, 18 Mar 2019 01:12:39 +0000 (UTC)
Received: from localhost ([127.0.0.1]:34008 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from
 <qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>)
	id 1h5gpS-00033P-UQ
	for patchwork-qemu-devel@patchwork.kernel.org;
 Sun, 17 Mar 2019 21:12:38 -0400
Received: from eggs.gnu.org ([209.51.188.92]:42102)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5gon-0002mP-6y
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 21:11:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5gom-0001qh-He
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 21:11:57 -0400
Received: from m12-15.163.com ([220.181.12.15]:53485)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <liq3ea@163.com>) id 1h5gol-0001oQ-Pm
	for qemu-devel@nongnu.org; Sun, 17 Mar 2019 21:11:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:Subject:Date:Message-Id; bh=kH/6twtdVKKniaUsdt
	uZmYunGrL8k6X9YS58hX86XoA=; b=V5RsCZCeybWH+4jrPE84qv+2FIAJZbF3DT
	CfIjzn1vulk57r0ffEvz2Q4ywR90Fx57JHgVYF/Ec5cA9YQW1/bObzD3ZT5coLZu
	aamgK3nCYiGQOKKcXxJU70aRw9o9uyQDSX1jgN/wgEzCI3E74WwdkvmFsZi+XeXz
	bPIRhCsls=
Received: from test-VirtualBox.hz.ali.com (unknown [42.120.75.44])
	by smtp11 (Coremail) with SMTP id D8CowAAHwoJV8I5c2p1kAg--.23688S2;
	Mon, 18 Mar 2019 09:11:50 +0800 (CST)
From: Li Qiang <liq3ea@163.com>
To: arei.gonglei@huawei.com
Date: Mon, 18 Mar 2019 09:11:47 +0800
Message-Id: <20190318011147.15690-1-liq3ea@163.com>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: D8CowAAHwoJV8I5c2p1kAg--.23688S2
X-Coremail-Antispam: 1Uf129KBjvJXoW7ZrW7tw1xWr4ktw47Zw13urg_yoW8ZFy5pr
	4YyFWaqw1DKay2k39YyFyrZr10gay3Cr18Xw4fJa18A34UZryIvF92gF10kFy0qFn2yw4r
	Wa10gay8J3WxuFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRLL0OUUUUU=
X-Originating-IP: [42.120.75.44]
X-CM-SenderInfo: 5oltjvrd6rljoofrz/1tbitA97bVSIbC+0AAAAsG
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 220.181.12.15
Subject: [Qemu-devel] [PATCH] backends: cryptodev: fix oob access issue
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Cc: Li Qiang <liq3ea@163.com>, qemu-devel@nongnu.org
Errors-To: 
 qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org
Sender: "Qemu-devel"
	<qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org>
X-Virus-Scanned: ClamAV using ClamSMTP

The 'queue_index' of create/close_session function
is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'.
This leads oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@163.com>
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
---
 backends/cryptodev-builtin.c    | 4 ++++
 backends/cryptodev-vhost-user.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 9fb0bd57a6..c3a65b2f5f 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session(
            CryptoDevBackendSymSessionInfo *sess_info,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendBuiltin *builtin =
                       CRYPTODEV_BACKEND_BUILTIN(backend);
     int64_t session_id = -1;
@@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session(
            uint64_t session_id,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendBuiltin *builtin =
                       CRYPTODEV_BACKEND_BUILTIN(backend);
 
diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c
index 1052a5d0e9..36a40eeb4d 100644
--- a/backends/cryptodev-vhost-user.c
+++ b/backends/cryptodev-vhost-user.c
@@ -236,6 +236,8 @@ static int64_t cryptodev_vhost_user_sym_create_session(
            CryptoDevBackendSymSessionInfo *sess_info,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                    backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;
@@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session(
            uint64_t session_id,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                   backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;