diff options
Diffstat (limited to 'app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch')
| -rw-r--r-- | app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch new file mode 100644 index 00000000000..f24d557c96d --- /dev/null +++ b/app-emulation/qemu/files/qemu-2.8.0-CVE-2017-5931.patch @@ -0,0 +1,46 @@ +From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 +From: Gonglei <arei.gonglei@huawei.com> +Date: Tue, 3 Jan 2017 14:50:03 +0800 +Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow + +Because the 'size_t' type is 4 bytes in 32-bit platform, which +is the same with 'int'. It's easy to make 'max_len' to zero when +integer overflow and then cause heap overflow if 'max_len' is zero. + +Using uint_64 instead of size_t to avoid the integer overflow. + +Cc: qemu-stable@nongnu.org +Reported-by: Li Qiang <liqiang6-s@360.cn> +Signed-off-by: Gonglei <arei.gonglei@huawei.com> +Tested-by: Li Qiang <liqiang6-s@360.cn> +Reviewed-by: Michael S. Tsirkin <mst@redhat.com> +Signed-off-by: Michael S. Tsirkin <mst@redhat.com> +--- + hw/virtio/virtio-crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c +index 2f2467e..c23e1ad 100644 +--- a/hw/virtio/virtio-crypto.c ++++ b/hw/virtio/virtio-crypto.c +@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + uint32_t hash_start_src_offset = 0, len_to_hash = 0; + uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; + +- size_t max_len, curr_size = 0; ++ uint64_t max_len, curr_size = 0; + size_t s; + + /* Plain cipher */ +@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, + return NULL; + } + +- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; ++ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto too big length"); + return NULL; +-- +2.10.2 + |