The 'queue_index' of create/close_session function
is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'.
This leads oob access. This patch avoid this.
Signed-off-by: Li Qiang <liq3ea@163.com>
---
backends/cryptodev-builtin.c | 4 ++++
backends/cryptodev-vhost-user.c | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 9fb0bd57a6..c3a65b2f5f 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session(
CryptoDevBackendSymSessionInfo *sess_info,
uint32_t queue_index, Error **errp)
{
+ assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend);
int64_t session_id = -1;
@@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session(
uint64_t session_id,
uint32_t queue_index, Error **errp)
{
+ assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
CryptoDevBackendBuiltin *builtin =
CRYPTODEV_BACKEND_BUILTIN(backend);
diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c
index 1052a5d0e9..36a40eeb4d 100644
--- a/backends/cryptodev-vhost-user.c
+++ b/backends/cryptodev-vhost-user.c
@@ -236,6 +236,8 @@ static int64_t cryptodev_vhost_user_sym_create_session(
CryptoDevBackendSymSessionInfo *sess_info,
uint32_t queue_index, Error **errp)
{
+ assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
CryptoDevBackendClient *cc =
backend->conf.peers.ccs[queue_index];
CryptoDevBackendVhost *vhost_crypto;
@@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session(
uint64_t session_id,
uint32_t queue_index, Error **errp)
{
+ assert(queue_index < MAX_CRYPTO_QUEUE_NUM);
+
CryptoDevBackendClient *cc =
backend->conf.peers.ccs[queue_index];
CryptoDevBackendVhost *vhost_crypto;
--
2.17.1
Hi Michael, Could you pls apply this patch in your tree? Thanks, -Gonglei > -----Original Message----- > From: Li Qiang [mailto:liq3ea@163.com] > Sent: Monday, March 18, 2019 9:12 AM > To: Gonglei (Arei) <arei.gonglei@huawei.com> > Cc: qemu-devel@nongnu.org; Li Qiang <liq3ea@163.com> > Subject: [PATCH] backends: cryptodev: fix oob access issue > > The 'queue_index' of create/close_session function > is from guest and can be exceed 'MAX_CRYPTO_QUEUE_NUM'. > This leads oob access. This patch avoid this. > > Signed-off-by: Li Qiang <liq3ea@163.com> > --- > backends/cryptodev-builtin.c | 4 ++++ > backends/cryptodev-vhost-user.c | 4 ++++ > 2 files changed, 8 insertions(+) > Reviewed-by: Gonglei <arei.gonglei@huawei.com> > diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c > index 9fb0bd57a6..c3a65b2f5f 100644 > --- a/backends/cryptodev-builtin.c > +++ b/backends/cryptodev-builtin.c > @@ -249,6 +249,8 @@ static int64_t cryptodev_builtin_sym_create_session( > CryptoDevBackendSymSessionInfo *sess_info, > uint32_t queue_index, Error **errp) > { > + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); > + > CryptoDevBackendBuiltin *builtin = > CRYPTODEV_BACKEND_BUILTIN(backend); > int64_t session_id = -1; > @@ -280,6 +282,8 @@ static int cryptodev_builtin_sym_close_session( > uint64_t session_id, > uint32_t queue_index, Error **errp) > { > + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); > + > CryptoDevBackendBuiltin *builtin = > CRYPTODEV_BACKEND_BUILTIN(backend); > > diff --git a/backends/cryptodev-vhost-user.c b/backends/cryptodev-vhost-user.c > index 1052a5d0e9..36a40eeb4d 100644 > --- a/backends/cryptodev-vhost-user.c > +++ b/backends/cryptodev-vhost-user.c > @@ -236,6 +236,8 @@ static int64_t > cryptodev_vhost_user_sym_create_session( > CryptoDevBackendSymSessionInfo *sess_info, > uint32_t queue_index, Error **errp) > { > + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); > + > CryptoDevBackendClient *cc = > backend->conf.peers.ccs[queue_index]; > CryptoDevBackendVhost *vhost_crypto; > @@ -262,6 +264,8 @@ static int cryptodev_vhost_user_sym_close_session( > uint64_t session_id, > uint32_t queue_index, Error **errp) > { > + assert(queue_index < MAX_CRYPTO_QUEUE_NUM); > + > CryptoDevBackendClient *cc = > backend->conf.peers.ccs[queue_index]; > CryptoDevBackendVhost *vhost_crypto; > -- > 2.17.1 >
© 2016 - 2024 Red Hat, Inc.