From nobody Sat May 18 21:00:15 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=fail header.i=@wdc.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=wdc.com ARC-Seal: i=1; a=rsa-sha256; t=1554854226; cv=none; d=zoho.com; s=zohoarc; b=bWUv/yQczbqXj0ckYL+qbGwwmQsQEexmtIhYHToeRjCMBU03pbGELZSyVgBs9k34nd/3YOdz83zSZyEsYbdFAnIyqkLpGDPopDNhrhmfnwdw91jvqI+BxbWq7NAh2Y5fl4SA/bFgfoyM8fIIQ0VnuxMCW5HZ6ItjEaYw3OwowQY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1554854226; h=Content-ID:Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=AEvpYvbv1JN9iM4m3bHshZw4jIZBngwNw1E7zTPyMhM=; b=m/Y/i8MorCZNhNMHk/Wtkp7kKP8k0qjcaIJjm5N03J2LRoiHrkHFuNBArFrfifYyuCysH758Q+0q3eXqGxyPzdHUYgh6BLs1eNqCYBSaHps9YRDdSjpqrIzLT5uix5tQYkacdD+6UyrZYuav/Oj/mIgAnn5yyhiX/xLHkaRv7fs= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=fail header.i=@wdc.com; spf=pass (zoho.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1554854225822530.6476114826576; Tue, 9 Apr 2019 16:57:05 -0700 (PDT) Received: from localhost ([127.0.0.1]:50827 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hE0bj-0000NV-Hl for importer@patchew.org; Tue, 09 Apr 2019 19:56:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:57809) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hE0aQ-0007n4-Am for qemu-devel@nongnu.org; Tue, 09 Apr 2019 19:55:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hE0aP-0002BR-3S for qemu-devel@nongnu.org; Tue, 09 Apr 2019 19:55:30 -0400 Received: from esa3.hgst.iphmx.com ([216.71.153.141]:10502) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1hE0aO-0001vk-Kx for qemu-devel@nongnu.org; Tue, 09 Apr 2019 19:55:29 -0400 Received: from mail-co1nam05lp2050.outbound.protection.outlook.com (HELO NAM05-CO1-obe.outbound.protection.outlook.com) ([104.47.48.50]) by ob1.hgst.iphmx.com with ESMTP; 10 Apr 2019 07:55:19 +0800 Received: from BYAPR04MB4901.namprd04.prod.outlook.com (52.135.232.206) by BYAPR04MB3943.namprd04.prod.outlook.com (52.135.215.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.16; Tue, 9 Apr 2019 23:55:17 +0000 Received: from BYAPR04MB4901.namprd04.prod.outlook.com ([fe80::44e8:bd21:17b:348c]) by BYAPR04MB4901.namprd04.prod.outlook.com ([fe80::44e8:bd21:17b:348c%4]) with mapi id 15.20.1771.021; Tue, 9 Apr 2019 23:55:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1554854129; x=1586390129; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=AEvpYvbv1JN9iM4m3bHshZw4jIZBngwNw1E7zTPyMhM=; b=W9Ogjw4z9do8lxEJLdBmEzaDW0I+NCuV2P1Frpus8gM5JVy4/SLaRvuM Jq9FCgTBUjz2Qu4sjdYE9Om5Nz/hfFMhafxVU9sZstHqaVLkuVJyklZRO 4Q5uETPcKSWQC7ZCK/G0uzICnfyBIL97mRU/j9cDxk8ncHQD1G8Ao/C8q yozyof2UdnV1Tspbzh4aUSbdAqLTfIL411LJLwBywKJX5SSq2mrIrpIZa dLCy46OoHMePrCWmK/o6I8qyexUD9J39DzpSXOejQEZDWwjwAHKnWrSJq oWtnLpQmRg8EpjGE8y/hdZZf3z6jI0P0kYUHCC7+SGqBZNhhPaUARaGD4 A==; X-IronPort-AV: E=Sophos;i="5.60,331,1549900800"; d="scan'208";a="110433616" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharedspace.onmicrosoft.com; s=selector1-wdc-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AEvpYvbv1JN9iM4m3bHshZw4jIZBngwNw1E7zTPyMhM=; b=YiRkdX5BVW89orL6oGxnnzPdfPh4GxOHfE7SMWqDBF+oBq3ORUoAIbUcTlOiqakbxF4JtXjPdQmH8nRq55rXb/3sw6HyDSDRt8i99cczaOaU5uLtbQhC8JFMUTAF0+dazgxxq5Bw4ZETlZBPVj0/aVX5tR4qz1p82B2Tg5WRzCc= From: Alistair Francis To: "qemu-devel@nongnu.org" , "peter.maydell@linaro.org" Thread-Topic: [PULL 1/1] device_tree: Fix integer overflowing in load_device_tree() Thread-Index: AQHU7y+uo9KsEH13PU6P9HQs6FzkdQ== Date: Tue, 9 Apr 2019 23:55:17 +0000 Message-ID: <20190409235401.12671-2-alistair.francis@wdc.com> References: <20190409235401.12671-1-alistair.francis@wdc.com> In-Reply-To: <20190409235401.12671-1-alistair.francis@wdc.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-mailer: git-send-email 2.21.0 x-clientproxiedby: BYAPR05CA0076.namprd05.prod.outlook.com (2603:10b6:a03:e0::17) To BYAPR04MB4901.namprd04.prod.outlook.com (2603:10b6:a03:4f::14) authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alistair.Francis@wdc.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [199.255.44.250] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 2ffa53d4-f39a-4dce-b527-08d6bd46d101 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(4618075)(2017052603328)(7193020); SRVR:BYAPR04MB3943; x-ms-traffictypediagnostic: BYAPR04MB3943: wdcipoutbound: EOP-TRUE x-microsoft-antispam-prvs: x-forefront-prvs: 000227DA0C x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(396003)(346002)(136003)(39860400002)(199004)(189003)(2616005)(52116002)(99286004)(81166006)(71190400001)(476003)(11346002)(5660300002)(3846002)(68736007)(6486002)(486006)(110136005)(105586002)(2906002)(6116002)(54906003)(6512007)(106356001)(6506007)(14454004)(478600001)(72206003)(44832011)(86362001)(66066001)(8676002)(446003)(26005)(71200400001)(97736004)(1076003)(305945005)(102836004)(8936002)(50226002)(4326008)(14444005)(76176011)(6436002)(36756003)(316002)(2501003)(186003)(53936002)(25786009)(7736002)(81156014)(386003)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR04MB3943; H:BYAPR04MB4901.namprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: C8Fm4aXqvnYNMuOOcm5D9eODCG0mwkHdfhZqiukdayzF+Clz3u7xnJPuFLQzQD7ITQ0ppmyn7wY0KpD/pUrSEEpGT7Aptw1C81xmG6q/KCAjluHvt/i/3hyEAAMORmOxmGNFOAinz/pp76k+e/hPPtesJW2uBsZskcLJqFrSU75VFoq8Og6OjtFWZzQT4By96UK8uzgi+KggU3VISyt39RaXF3HqfcLXkdSEV6wLam3EDYxqsZn0SllWnG29TPIWS0TmxAUdXSh3oHkn9jMmLK16RTonWPerCav37CppUUG3hOu361miQZMFyDB8UmUVBv9KQsmw4wGbLqppyLYkCu9PRXyXW9vF31rzO87M2pu1DDMQKJUyB7P29RllG5XURIMuyxWdxp92TUqvL9aq54W1nDnn/hkozNNjaZu2UhM= Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: wdc.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2ffa53d4-f39a-4dce-b527-08d6bd46d101 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2019 23:55:17.4666 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b61c8803-16f3-4c35-9b17-6f65f441df86 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR04MB3943 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 216.71.153.141 Subject: [Qemu-devel] [PULL 1/1] device_tree: Fix integer overflowing in load_device_tree() X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "alistair23@gmail.com" , Alistair Francis , Kurtis Miller , =?utf-8?B?UGhpbGlwcGUgTWF0aGlldS1EYXVkw6k=?= , Markus Armbruster Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: fail (found 2 invalid signatures) From: Markus Armbruster If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the computation of @dt_size overflows to a negative number, which then gets converted to a very large size_t for g_malloc0() and load_image_size(). In the (fortunately improbable) case g_malloc0() succeeds and load_image_size() survives, we'd assign the negative number to *sizep. What that would do to the callers I can't say, but it's unlikely to be good. Fix by rejecting images whose size would overflow. Reported-by: Kurtis Miller Signed-off-by: Markus Armbruster Reviewed-by: Philippe Mathieu-Daud=C3=A9 Signed-off-by: Alistair Francis Message-Id: <20190409174018.25798-1-armbru@redhat.com> --- device_tree.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/device_tree.c b/device_tree.c index 296278e12a..f8b46b3c73 100644 --- a/device_tree.c +++ b/device_tree.c @@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *s= izep) filename_path); goto fail; } + if (dt_size > INT_MAX / 2 - 10000) { + error_report("Device tree file '%s' is too large", filename_path); + goto fail; + } =20 /* Expand to 2x size to give enough room for manipulation. */ dt_size +=3D 10000; --=20 2.21.0