hw/virtio/virtio-crypto.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-)
Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM algtype.
Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
Signed-off-by: Mauro Matteo Cascella <mcascell@redhat.com>
Reported-by: Yiming Tao <taoym@zju.edu.cn>
---
hw/virtio/virtio-crypto.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 2fe804510f..c729a1f79e 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -476,15 +476,17 @@ static void virtio_crypto_free_request(VirtIOCryptoReq *req)
size_t max_len;
CryptoDevBackendSymOpInfo *op_info = req->op_info.u.sym_op_info;
- max_len = op_info->iv_len +
- op_info->aad_len +
- op_info->src_len +
- op_info->dst_len +
- op_info->digest_result_len;
-
- /* Zeroize and free request data structure */
- memset(op_info, 0, sizeof(*op_info) + max_len);
- g_free(op_info);
+ if (op_info) {
+ max_len = op_info->iv_len +
+ op_info->aad_len +
+ op_info->src_len +
+ op_info->dst_len +
+ op_info->digest_result_len;
+
+ /* Zeroize and free request data structure */
+ memset(op_info, 0, sizeof(*op_info) + max_len);
+ g_free(op_info);
+ }
} else if (req->flags == QCRYPTODEV_BACKEND_ALG_ASYM) {
CryptoDevBackendAsymOpInfo *op_info = req->op_info.u.asym_op_info;
if (op_info) {
--
2.40.1
> -----Original Message-----
> From: Mauro Matteo Cascella [mailto:mcascell@redhat.com]
> Sent: Monday, May 8, 2023 11:02 PM
> To: qemu-devel@nongnu.org
> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
> pizhenwei@bytedance.com; taoym@zju.edu.cn; mcascell@redhat.com
> Subject: [PATCH] virtio-crypto: fix NULL pointer dereference in
> virtio_crypto_free_request
>
> Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM
> algtype.
>
> Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
I have to say the fixes is incorrect. The bug was introduced by commit 0e660a6f90a, which
changed the semantic meaning of request-> flag.
Regards,
-Gonglei
On 5/9/23 09:02, Gonglei (Arei) wrote:
>
>
>> -----Original Message-----
>> From: Mauro Matteo Cascella [mailto:mcascell@redhat.com]
>> Sent: Monday, May 8, 2023 11:02 PM
>> To: qemu-devel@nongnu.org
>> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
>> pizhenwei@bytedance.com; taoym@zju.edu.cn; mcascell@redhat.com
>> Subject: [PATCH] virtio-crypto: fix NULL pointer dereference in
>> virtio_crypto_free_request
>>
>> Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM
>> algtype.
>>
>> Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
>
> I have to say the fixes is incorrect. The bug was introduced by commit 0e660a6f90a, which
> changed the semantic meaning of request-> flag.
>
> Regards,
> -Gonglei
>
Hi Mauro
Agree with Lei, could you please change the Fixes as Lei suggested?
--
zhenwei pi
On Tue, May 9, 2023 at 3:47 AM zhenwei pi <pizhenwei@bytedance.com> wrote:
>
>
>
> On 5/9/23 09:02, Gonglei (Arei) wrote:
> >
> >
> >> -----Original Message-----
> >> From: Mauro Matteo Cascella [mailto:mcascell@redhat.com]
> >> Sent: Monday, May 8, 2023 11:02 PM
> >> To: qemu-devel@nongnu.org
> >> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
> >> pizhenwei@bytedance.com; taoym@zju.edu.cn; mcascell@redhat.com
> >> Subject: [PATCH] virtio-crypto: fix NULL pointer dereference in
> >> virtio_crypto_free_request
> >>
> >> Ensure op_info is not NULL in case of QCRYPTODEV_BACKEND_ALG_SYM
> >> algtype.
> >>
> >> Fixes: 02ed3e7c ("virtio-crypto: zeroize the key material before free")
> >
> > I have to say the fixes is incorrect. The bug was introduced by commit 0e660a6f90a, which
> > changed the semantic meaning of request-> flag.
> >
> > Regards,
> > -Gonglei
> >
>
> Hi Mauro
>
> Agree with Lei, could you please change the Fixes as Lei suggested?
Sent v2.
Thanks!
> --
> zhenwei pi
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
© 2016 - 2024 Red Hat, Inc.