1. Patchew
  2. QEMU
  3. View series

[Qemu-devel] [PATCH] backends: cryptodev: fix oob access issue

Li Qiang posted 1 patch 6 years, 10 months ago
Test docker-mingw@fedora passed
Test docker-clang@ubuntu passed
Test checkpatch passed
Test asan passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/20190318011147.15690-1-liq3ea@163.com
Maintainers: Gonglei <arei.gonglei@huawei.com>
backends/cryptodev-builtin.c    | 4 ++++
backends/cryptodev-vhost-user.c | 4 ++++
2 files changed, 8 insertions(+)
[Qemu-devel] [PATCH] backends: cryptodev: fix oob access issue
Posted by Li Qiang 6 years, 10 months ago 
The 'queue_index' of create/close_session function
is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'.
This leads oob access. This patch avoid this.

Signed-off-by: Li Qiang <liq3ea@163.com>
---
 backends/cryptodev-builtin.c    | 4 ++++
 backends/cryptodev-vhost-user.c | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 9fb0bd57a6..c3a65b2f5f 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session(
            CryptoDevBackendSymSessionInfo *sess_info,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendBuiltin *builtin =
                       CRYPTODEV_BACKEND_BUILTIN(backend);
     int64_t session_id = -1;
@@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session(
            uint64_t session_id,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendBuiltin *builtin =
                       CRYPTODEV_BACKEND_BUILTIN(backend);
 
diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c
index 1052a5d0e9..36a40eeb4d 100644
--- a/backends/cryptodev-vhost-user.c
+++ b/backends/cryptodev-vhost-user.c
@@ -236,6 +236,8 @@ static int64_t cryptodev_vhost_user_sym_create_session(
            CryptoDevBackendSymSessionInfo *sess_info,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                    backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;
@@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session(
            uint64_t session_id,
            uint32_t queue_index, Error **errp)
 {
+    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
     CryptoDevBackendClient *cc =
                   backend->conf.peers.ccs[queue_index];
     CryptoDevBackendVhost *vhost_crypto;
-- 
2.17.1
Re: [Qemu-devel] [PATCH] backends: cryptodev: fix oob access issue
Posted by Gonglei (Arei) 6 years, 10 months ago 
Hi Michael,

Could you pls apply this patch in your tree?

Thanks,
-Gonglei


> -----Original Message-----
> From: Li Qiang [mailto:liq3ea@163.com]
> Sent: Monday, March 18, 2019 9:12 AM
> To: Gonglei (Arei) <arei.gonglei@huawei.com>
> Cc: qemu-devel@nongnu.org; Li Qiang <liq3ea@163.com>
> Subject: [PATCH] backends: cryptodev: fix oob access issue
> 
> The 'queue_index' of create/close_session function
> is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'.
> This leads oob access. This patch avoid this.
> 
> Signed-off-by: Li Qiang <liq3ea@163.com>
> ---
>  backends/cryptodev-builtin.c    | 4 ++++
>  backends/cryptodev-vhost-user.c | 4 ++++
>  2 files changed, 8 insertions(+)
> 

Reviewed-by: Gonglei <arei.gonglei@huawei.com>


> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
> index 9fb0bd57a6..c3a65b2f5f 100644
> --- a/backends/cryptodev-builtin.c
> +++ b/backends/cryptodev-builtin.c
> @@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session(
>             CryptoDevBackendSymSessionInfo *sess_info,
>             uint32_t queue_index, Error **errp)
>  {
> +    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
> +
>      CryptoDevBackendBuiltin *builtin =
>                        CRYPTODEV_BACKEND_BUILTIN(backend);
>      int64_t session_id = -1;
> @@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session(
>             uint64_t session_id,
>             uint32_t queue_index, Error **errp)
>  {
> +    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
> +
>      CryptoDevBackendBuiltin *builtin =
>                        CRYPTODEV_BACKEND_BUILTIN(backend);
> 
> diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c
> index 1052a5d0e9..36a40eeb4d 100644
> --- a/backends/cryptodev-vhost-user.c
> +++ b/backends/cryptodev-vhost-user.c
> @@ -236,6 +236,8 @@ static int64_t
> cryptodev_vhost_user_sym_create_session(
>             CryptoDevBackendSymSessionInfo *sess_info,
>             uint32_t queue_index, Error **errp)
>  {
> +    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
> +
>      CryptoDevBackendClient *cc =
>                     backend->conf.peers.ccs[queue_index];
>      CryptoDevBackendVhost *vhost_crypto;
> @@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session(
>             uint64_t session_id,
>             uint32_t queue_index, Error **errp)
>  {
> +    assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
> +
>      CryptoDevBackendClient *cc =
>                    backend->conf.peers.ccs[queue_index];
>      CryptoDevBackendVhost *vhost_crypto;
> --
> 2.17.1
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.