1. Patchew
  2. QEMU
  3. [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest
  4. View patch

[PATCH v2 2/2] cryptodev-builtin: Limit the maximum size

zhenwei pi posted 2 patches 1 month, 2 weeks ago
Maintainers: "Gonglei (Arei)" <arei.gonglei@huawei.com>, zhenwei pi <zhenwei.pi@linux.dev>, "Michael S. Tsirkin" <mst@redhat.com>
[PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
Posted by zhenwei pi 1 month, 2 weeks ago 
From: zhenwei pi <pizhenwei@tensorfer.com>

This backend driver is used for demonstration purposes only, unlimited
size leads QEMU OOM.

Fixes: CVE-2025-14876
Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
Reported-by: 이재영 <nakamurajames123@gmail.com>
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
---
 backends/cryptodev-builtin.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 0414c01e06..55a3fbd27b 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
 
 #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
 #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
+/* demonstration purposes only, use a limited size to avoid QEMU OOM */
+#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
 
 struct CryptoDevBackendBuiltin {
     CryptoDevBackend parent_obj;
@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
                          1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
     backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
     backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
-    /*
-     * Set the Maximum length of crypto request.
-     * Why this value? Just avoid to overflow when
-     * memory allocation for each crypto request.
-     */
-    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
+    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
     backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
     backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
     cryptodev_builtin_init_akcipher(backend);
-- 
2.43.0
RE: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
Posted by Gonglei (Arei) 1 month, 2 weeks ago 
Hi,

> -----Original Message-----
> From: zhenwei pi <zhenwei.pi@linux.dev>
> Sent: Sunday, December 21, 2025 10:43 AM
> To: qemu-devel@nongnu.org
> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
> mcascell@redhat.com; nakamurajames123@gmail.com; zhenwei pi
> <pizhenwei@tensorfer.com>; zhenwei pi <zhenwei.pi@linux.dev>
> Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
> 
> From: zhenwei pi <pizhenwei@tensorfer.com>
> 
> This backend driver is used for demonstration purposes only, unlimited size leads
> QEMU OOM.
> 
> Fixes: CVE-2025-14876

Actually, I don't think this fix has anything to do with the CVE. You can consider it an improvement.

> Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
> Reported-by: 이재영 <nakamurajames123@gmail.com>
> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
> ---
>  backends/cryptodev-builtin.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
> 
> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index
> 0414c01e06..55a3fbd27b 100644
> --- a/backends/cryptodev-builtin.c
> +++ b/backends/cryptodev-builtin.c
> @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
> 
>  #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
>  #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
> +/* demonstration purposes only, use a limited size to avoid QEMU OOM */
> +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
> 
>  struct CryptoDevBackendBuiltin {
>      CryptoDevBackend parent_obj;
> @@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
>                           1u <<
> QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
>      backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
>      backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
> -    /*
> -     * Set the Maximum length of crypto request.
> -     * Why this value? Just avoid to overflow when
> -     * memory allocation for each crypto request.
> -     */
> -    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
> +    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
>      backend->conf.max_cipher_key_len =
> CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
>      backend->conf.max_auth_key_len =
> CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
>      cryptodev_builtin_init_akcipher(backend);
> --
> 2.43.0
Re: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
Posted by zhenwei pi 1 month, 2 weeks ago 
On 12/22/25 09:29, Gonglei (Arei) wrote:
> Hi,
> 
>> -----Original Message-----
>> From: zhenwei pi <zhenwei.pi@linux.dev>
>> Sent: Sunday, December 21, 2025 10:43 AM
>> To: qemu-devel@nongnu.org
>> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
>> mcascell@redhat.com; nakamurajames123@gmail.com; zhenwei pi
>> <pizhenwei@tensorfer.com>; zhenwei pi <zhenwei.pi@linux.dev>
>> Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
>>
>> From: zhenwei pi <pizhenwei@tensorfer.com>
>>
>> This backend driver is used for demonstration purposes only, unlimited size leads
>> QEMU OOM.
>>
>> Fixes: CVE-2025-14876
> 
> Actually, I don't think this fix has anything to do with the CVE. You can consider it an improvement.
> 

The original size is almost LONG_MAX, it does not limit memory usage of 
QEMU. So I used to think it was also a part of this CVE.

I also have no objection to removing this tag from here.

>> Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
>> Reported-by: 이재영 <nakamurajames123@gmail.com>
>> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
>> ---
>>   backends/cryptodev-builtin.c | 9 +++------
>>   1 file changed, 3 insertions(+), 6 deletions(-)
>>
>> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index
>> 0414c01e06..55a3fbd27b 100644
>> --- a/backends/cryptodev-builtin.c
>> +++ b/backends/cryptodev-builtin.c
>> @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
>>
>>   #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
>>   #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
>> +/* demonstration purposes only, use a limited size to avoid QEMU OOM */
>> +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
>>
>>   struct CryptoDevBackendBuiltin {
>>       CryptoDevBackend parent_obj;
>> @@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
>>                            1u <<
>> QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
>>       backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
>>       backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
>> -    /*
>> -     * Set the Maximum length of crypto request.
>> -     * Why this value? Just avoid to overflow when
>> -     * memory allocation for each crypto request.
>> -     */
>> -    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
>> +    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
>>       backend->conf.max_cipher_key_len =
>> CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
>>       backend->conf.max_auth_key_len =
>> CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
>>       cryptodev_builtin_init_akcipher(backend);
>> --
>> 2.43.0
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.