* [PATCH 0/2] Avoid QEMU OOM on huge request from guest
@ 2025-12-14 9:09 zhenwei pi
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
0 siblings, 2 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw)
To: qemu-devel
Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell,
zhenwei pi
Fix two issues in this series:
- Verify asym request size from device level
- Limit the maximum size for cryptodev builtin driver
zhenwei pi (2):
hw/virtio/virtio-crypto: verify asym request size
cryptodev-builtin: Limit the maximum size
backends/cryptodev-builtin.c | 9 +++------
hw/virtio/virtio-crypto.c | 7 +++++++
2 files changed, 10 insertions(+), 6 deletions(-)
--
2.43.0
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size
2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
@ 2025-12-14 9:09 ` zhenwei pi
2025-12-18 10:43 ` Mauro Matteo Cascella
2025-12-20 17:45 ` Michael Tokarev
2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
1 sibling, 2 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw)
To: qemu-devel
Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell,
zhenwei pi
The total lenght of request is limited by cryptodev config, verify it
to avoid unexpected request from guest.
Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
Reported-by: AM 이재영 <nakamurajames123@gmail.com>
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
---
hw/virtio/virtio-crypto.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 517f2089c5..94dbf9d92d 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
uint32_t len;
uint8_t *src = NULL;
uint8_t *dst = NULL;
+ uint64_t max_len;
asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
src_len = ldl_le_p(&req->para.src_data_len);
dst_len = ldl_le_p(&req->para.dst_data_len);
+ max_len = src_len + dst_len;
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto asym too big length");
+ goto err;
+ }
+
if (src_len > 0) {
src = g_malloc0(src_len);
len = iov_to_buf(iov, out_num, 0, src, src_len);
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] cryptodev-builtin: Limit the maximum size
2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
@ 2025-12-14 9:09 ` zhenwei pi
1 sibling, 0 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw)
To: qemu-devel
Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell,
zhenwei pi
This backend driver is used for demonstration purposes only, unlimited
size leads QEMU OOM.
Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
Reported-by: AM 이재영 <nakamurajames123@gmail.com>
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
---
backends/cryptodev-builtin.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 0414c01e06..55a3fbd27b 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
#define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512
#define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64
+/* demonstration purposes only, use a limited size to avoid QEMU OOM */
+#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024)
struct CryptoDevBackendBuiltin {
CryptoDevBackend parent_obj;
@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
- /*
- * Set the Maximum length of crypto request.
- * Why this value? Just avoid to overflow when
- * memory allocation for each crypto request.
- */
- backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
+ backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
cryptodev_builtin_init_akcipher(backend);
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
@ 2025-12-18 10:43 ` Mauro Matteo Cascella
2025-12-19 0:24 ` zhenwei pi
2025-12-20 17:45 ` Michael Tokarev
1 sibling, 1 reply; 6+ messages in thread
From: Mauro Matteo Cascella @ 2025-12-18 10:43 UTC (permalink / raw)
To: zhenwei pi; +Cc: qemu-devel, mst, arei.gonglei, nakamurajames123, qemu-security
On Sun, Dec 14, 2025 at 10:19 AM zhenwei pi <zhenwei.pi@linux.dev> wrote:
>
> The total lenght of request is limited by cryptodev config, verify it
> to avoid unexpected request from guest.
CVE-2025-14876 has been assigned to this bug.
Thanks,
> Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
> Reported-by: AM 이재영 <nakamurajames123@gmail.com>
> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
> ---
> hw/virtio/virtio-crypto.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> index 517f2089c5..94dbf9d92d 100644
> --- a/hw/virtio/virtio-crypto.c
> +++ b/hw/virtio/virtio-crypto.c
> @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
> uint32_t len;
> uint8_t *src = NULL;
> uint8_t *dst = NULL;
> + uint64_t max_len;
>
> asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
> src_len = ldl_le_p(&req->para.src_data_len);
> dst_len = ldl_le_p(&req->para.dst_data_len);
>
> + max_len = src_len + dst_len;
> + if (unlikely(max_len > vcrypto->conf.max_size)) {
> + virtio_error(vdev, "virtio-crypto asym too big length");
> + goto err;
> + }
> +
> if (src_len > 0) {
> src = g_malloc0(src_len);
> len = iov_to_buf(iov, out_num, 0, src, src_len);
> --
> 2.43.0
>
--
Mauro Matteo Cascella
Red Hat Product Security
PGP-Key ID: BB3410B0
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size
2025-12-18 10:43 ` Mauro Matteo Cascella
@ 2025-12-19 0:24 ` zhenwei pi
0 siblings, 0 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-19 0:24 UTC (permalink / raw)
To: Mauro Matteo Cascella
Cc: qemu-devel, mst, arei.gonglei, nakamurajames123, qemu-security
On 12/18/25 18:43, Mauro Matteo Cascella wrote:
> On Sun, Dec 14, 2025 at 10:19 AM zhenwei pi <zhenwei.pi@linux.dev> wrote:
>>
>> The total lenght of request is limited by cryptodev config, verify it
>> to avoid unexpected request from guest.
>
> CVE-2025-14876 has been assigned to this bug.
>
> Thanks,
>
OK, I suggest the two patches are tagged with this CVE. This root reason
of this issue:
- the lack of limitation from hw akcipher (this fix)
- so huge limitation (almost LONG_MAX bytes) from backend builtin driver
(the next fix)
>> Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
>> Reported-by: AM 이재영 <nakamurajames123@gmail.com>
>> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
>> ---
>> hw/virtio/virtio-crypto.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
>> index 517f2089c5..94dbf9d92d 100644
>> --- a/hw/virtio/virtio-crypto.c
>> +++ b/hw/virtio/virtio-crypto.c
>> @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
>> uint32_t len;
>> uint8_t *src = NULL;
>> uint8_t *dst = NULL;
>> + uint64_t max_len;
>>
>> asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
>> src_len = ldl_le_p(&req->para.src_data_len);
>> dst_len = ldl_le_p(&req->para.dst_data_len);
>>
>> + max_len = src_len + dst_len;
>> + if (unlikely(max_len > vcrypto->conf.max_size)) {
>> + virtio_error(vdev, "virtio-crypto asym too big length");
>> + goto err;
>> + }
>> +
>> if (src_len > 0) {
>> src = g_malloc0(src_len);
>> len = iov_to_buf(iov, out_num, 0, src, src_len);
>> --
>> 2.43.0
>>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
2025-12-18 10:43 ` Mauro Matteo Cascella
@ 2025-12-20 17:45 ` Michael Tokarev
1 sibling, 0 replies; 6+ messages in thread
From: Michael Tokarev @ 2025-12-20 17:45 UTC (permalink / raw)
To: zhenwei pi, qemu-devel
Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell
On 12/14/25 12:09, zhenwei pi wrote:
> The total lenght of request is limited by cryptodev config, verify it
> to avoid unexpected request from guest.
>
> Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
> Reported-by: AM 이재영 <nakamurajames123@gmail.com>
> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
> ---
> hw/virtio/virtio-crypto.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
> index 517f2089c5..94dbf9d92d 100644
> --- a/hw/virtio/virtio-crypto.c
> +++ b/hw/virtio/virtio-crypto.c
> @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
> uint32_t len;
> uint8_t *src = NULL;
> uint8_t *dst = NULL;
> + uint64_t max_len;
>
> asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
> src_len = ldl_le_p(&req->para.src_data_len);
> dst_len = ldl_le_p(&req->para.dst_data_len);
>
> + max_len = src_len + dst_len;
I believe this can be overflown when calculating the sum, while
both args are uint32_t.
max_len = (uint64_t)src_len + dst_len;
might be better. This is what's used in other places in this
file too.
I wonder if modern compilers can warn about such overflow
possibilities, and what's the better way to write such
expressions. Something like
max_len = src_len; max_len += dst_len
maybe? :)
> + if (unlikely(max_len > vcrypto->conf.max_size)) {
> + virtio_error(vdev, "virtio-crypto asym too big length");
"virtio-crypto asym request is too large" ?
Thanks,
/mjt
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-12-20 17:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
2025-12-18 10:43 ` Mauro Matteo Cascella
2025-12-19 0:24 ` zhenwei pi
2025-12-20 17:45 ` Michael Tokarev
2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.