diff options
Diffstat (limited to 'recipes-devtools/qemu/qemu/CVE-2017-5931.patch')
-rw-r--r-- | recipes-devtools/qemu/qemu/CVE-2017-5931.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/recipes-devtools/qemu/qemu/CVE-2017-5931.patch b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch new file mode 100644 index 0000000..4c35c26 --- /dev/null +++ b/recipes-devtools/qemu/qemu/CVE-2017-5931.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From d6f119475d3c9c913f9140771895036be66d5c33 Mon Sep 17 00:00:00 2001 | ||
2 | From: Gonglei <arei.gonglei@huawei.com> | ||
3 | Date: Tue, 3 Jan 2017 14:50:03 +0800 | ||
4 | Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow | ||
5 | |||
6 | Because the 'size_t' type is 4 bytes in 32-bit platform, which | ||
7 | is the same with 'int'. It's easy to make 'max_len' to zero when | ||
8 | integer overflow and then cause heap overflow if 'max_len' is zero. | ||
9 | |||
10 | Using uint_64 instead of size_t to avoid the integer overflow. | ||
11 | |||
12 | CVE: CVE-2017-5931 | ||
13 | Upstream-Status: Backport [backport from 2.8.1.1 releases: https://git.qemu.org/?p=qemu.git;a=commit;h=d6f119475d3c9c913f9140771895036be66d5c33] | ||
14 | |||
15 | Cc: qemu-stable@nongnu.org | ||
16 | Reported-by: Li Qiang <liqiang6-s@360.cn> | ||
17 | Signed-off-by: Gonglei <arei.gonglei@huawei.com> | ||
18 | Tested-by: Li Qiang <liqiang6-s@360.cn> | ||
19 | Reviewed-by: Michael S. Tsirkin <mst@redhat.com> | ||
20 | Signed-off-by: Michael S. Tsirkin <mst@redhat.com> | ||
21 | (cherry picked from commit a08aaff811fb194950f79711d2afe5a892ae03a4) | ||
22 | Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> | ||
23 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
24 | --- | ||
25 | hw/virtio/virtio-crypto.c | 4 ++-- | ||
26 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
27 | |||
28 | diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c | ||
29 | index 2f2467e..c23e1ad 100644 | ||
30 | --- a/hw/virtio/virtio-crypto.c | ||
31 | +++ b/hw/virtio/virtio-crypto.c | ||
32 | @@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, | ||
33 | uint32_t hash_start_src_offset = 0, len_to_hash = 0; | ||
34 | uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; | ||
35 | |||
36 | - size_t max_len, curr_size = 0; | ||
37 | + uint64_t max_len, curr_size = 0; | ||
38 | size_t s; | ||
39 | |||
40 | /* Plain cipher */ | ||
41 | @@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, | ||
42 | return NULL; | ||
43 | } | ||
44 | |||
45 | - max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; | ||
46 | + max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; | ||
47 | if (unlikely(max_len > vcrypto->conf.max_size)) { | ||
48 | virtio_error(vdev, "virtio-crypto too big length"); | ||
49 | return NULL; | ||
50 | -- | ||
51 | 1.9.1 | ||
52 | |||