* [PATCH 0/2] Avoid QEMU OOM on huge request from guest @ 2025-12-14 9:09 zhenwei pi 2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi 2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi 0 siblings, 2 replies; 6+ messages in thread From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw) To: qemu-devel Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell, zhenwei pi Fix two issues in this series: - Verify asym request size from device level - Limit the maximum size for cryptodev builtin driver zhenwei pi (2): hw/virtio/virtio-crypto: verify asym request size cryptodev-builtin: Limit the maximum size backends/cryptodev-builtin.c | 9 +++------ hw/virtio/virtio-crypto.c | 7 +++++++ 2 files changed, 10 insertions(+), 6 deletions(-) -- 2.43.0 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size 2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi @ 2025-12-14 9:09 ` zhenwei pi 2025-12-18 10:43 ` Mauro Matteo Cascella 2025-12-20 17:45 ` Michael Tokarev 2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi 1 sibling, 2 replies; 6+ messages in thread From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw) To: qemu-devel Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell, zhenwei pi The total lenght of request is limited by cryptodev config, verify it to avoid unexpected request from guest. Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") Reported-by: AM 이재영 <nakamurajames123@gmail.com> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> --- hw/virtio/virtio-crypto.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c index 517f2089c5..94dbf9d92d 100644 --- a/hw/virtio/virtio-crypto.c +++ b/hw/virtio/virtio-crypto.c @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, uint32_t len; uint8_t *src = NULL; uint8_t *dst = NULL; + uint64_t max_len; asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); src_len = ldl_le_p(&req->para.src_data_len); dst_len = ldl_le_p(&req->para.dst_data_len); + max_len = src_len + dst_len; + if (unlikely(max_len > vcrypto->conf.max_size)) { + virtio_error(vdev, "virtio-crypto asym too big length"); + goto err; + } + if (src_len > 0) { src = g_malloc0(src_len); len = iov_to_buf(iov, out_num, 0, src, src_len); -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size 2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi @ 2025-12-18 10:43 ` Mauro Matteo Cascella 2025-12-19 0:24 ` zhenwei pi 2025-12-20 17:45 ` Michael Tokarev 1 sibling, 1 reply; 6+ messages in thread From: Mauro Matteo Cascella @ 2025-12-18 10:43 UTC (permalink / raw) To: zhenwei pi; +Cc: qemu-devel, mst, arei.gonglei, nakamurajames123, qemu-security On Sun, Dec 14, 2025 at 10:19 AM zhenwei pi <zhenwei.pi@linux.dev> wrote: > > The total lenght of request is limited by cryptodev config, verify it > to avoid unexpected request from guest. CVE-2025-14876 has been assigned to this bug. Thanks, > Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") > Reported-by: AM 이재영 <nakamurajames123@gmail.com> > Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> > --- > hw/virtio/virtio-crypto.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c > index 517f2089c5..94dbf9d92d 100644 > --- a/hw/virtio/virtio-crypto.c > +++ b/hw/virtio/virtio-crypto.c > @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, > uint32_t len; > uint8_t *src = NULL; > uint8_t *dst = NULL; > + uint64_t max_len; > > asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); > src_len = ldl_le_p(&req->para.src_data_len); > dst_len = ldl_le_p(&req->para.dst_data_len); > > + max_len = src_len + dst_len; > + if (unlikely(max_len > vcrypto->conf.max_size)) { > + virtio_error(vdev, "virtio-crypto asym too big length"); > + goto err; > + } > + > if (src_len > 0) { > src = g_malloc0(src_len); > len = iov_to_buf(iov, out_num, 0, src, src_len); > -- > 2.43.0 > -- Mauro Matteo Cascella Red Hat Product Security PGP-Key ID: BB3410B0 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size 2025-12-18 10:43 ` Mauro Matteo Cascella @ 2025-12-19 0:24 ` zhenwei pi 0 siblings, 0 replies; 6+ messages in thread From: zhenwei pi @ 2025-12-19 0:24 UTC (permalink / raw) To: Mauro Matteo Cascella Cc: qemu-devel, mst, arei.gonglei, nakamurajames123, qemu-security On 12/18/25 18:43, Mauro Matteo Cascella wrote: > On Sun, Dec 14, 2025 at 10:19 AM zhenwei pi <zhenwei.pi@linux.dev> wrote: >> >> The total lenght of request is limited by cryptodev config, verify it >> to avoid unexpected request from guest. > > CVE-2025-14876 has been assigned to this bug. > > Thanks, > OK, I suggest the two patches are tagged with this CVE. This root reason of this issue: - the lack of limitation from hw akcipher (this fix) - so huge limitation (almost LONG_MAX bytes) from backend builtin driver (the next fix) >> Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") >> Reported-by: AM 이재영 <nakamurajames123@gmail.com> >> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> >> --- >> hw/virtio/virtio-crypto.c | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c >> index 517f2089c5..94dbf9d92d 100644 >> --- a/hw/virtio/virtio-crypto.c >> +++ b/hw/virtio/virtio-crypto.c >> @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, >> uint32_t len; >> uint8_t *src = NULL; >> uint8_t *dst = NULL; >> + uint64_t max_len; >> >> asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); >> src_len = ldl_le_p(&req->para.src_data_len); >> dst_len = ldl_le_p(&req->para.dst_data_len); >> >> + max_len = src_len + dst_len; >> + if (unlikely(max_len > vcrypto->conf.max_size)) { >> + virtio_error(vdev, "virtio-crypto asym too big length"); >> + goto err; >> + } >> + >> if (src_len > 0) { >> src = g_malloc0(src_len); >> len = iov_to_buf(iov, out_num, 0, src, src_len); >> -- >> 2.43.0 >> > > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size 2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi 2025-12-18 10:43 ` Mauro Matteo Cascella @ 2025-12-20 17:45 ` Michael Tokarev 1 sibling, 0 replies; 6+ messages in thread From: Michael Tokarev @ 2025-12-20 17:45 UTC (permalink / raw) To: zhenwei pi, qemu-devel Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell On 12/14/25 12:09, zhenwei pi wrote: > The total lenght of request is limited by cryptodev config, verify it > to avoid unexpected request from guest. > > Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm") > Reported-by: AM 이재영 <nakamurajames123@gmail.com> > Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> > --- > hw/virtio/virtio-crypto.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c > index 517f2089c5..94dbf9d92d 100644 > --- a/hw/virtio/virtio-crypto.c > +++ b/hw/virtio/virtio-crypto.c > @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto, > uint32_t len; > uint8_t *src = NULL; > uint8_t *dst = NULL; > + uint64_t max_len; > > asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1); > src_len = ldl_le_p(&req->para.src_data_len); > dst_len = ldl_le_p(&req->para.dst_data_len); > > + max_len = src_len + dst_len; I believe this can be overflown when calculating the sum, while both args are uint32_t. max_len = (uint64_t)src_len + dst_len; might be better. This is what's used in other places in this file too. I wonder if modern compilers can warn about such overflow possibilities, and what's the better way to write such expressions. Something like max_len = src_len; max_len += dst_len maybe? :) > + if (unlikely(max_len > vcrypto->conf.max_size)) { > + virtio_error(vdev, "virtio-crypto asym too big length"); "virtio-crypto asym request is too large" ? Thanks, /mjt ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 2/2] cryptodev-builtin: Limit the maximum size 2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi 2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi @ 2025-12-14 9:09 ` zhenwei pi 1 sibling, 0 replies; 6+ messages in thread From: zhenwei pi @ 2025-12-14 9:09 UTC (permalink / raw) To: qemu-devel Cc: mst, arei.gonglei, nakamurajames123, qemu-security, mcascell, zhenwei pi This backend driver is used for demonstration purposes only, unlimited size leads QEMU OOM. Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend") Reported-by: AM 이재영 <nakamurajames123@gmail.com> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev> --- backends/cryptodev-builtin.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index 0414c01e06..55a3fbd27b 100644 --- a/backends/cryptodev-builtin.c +++ b/backends/cryptodev-builtin.c @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession { #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512 #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64 +/* demonstration purposes only, use a limited size to avoid QEMU OOM */ +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024) struct CryptoDevBackendBuiltin { CryptoDevBackend parent_obj; @@ -98,12 +100,7 @@ static void cryptodev_builtin_init( 1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC; backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC; backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1; - /* - * Set the Maximum length of crypto request. - * Why this value? Just avoid to overflow when - * memory allocation for each crypto request. - */ - backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo); + backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE; backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN; backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN; cryptodev_builtin_init_akcipher(backend); -- 2.43.0 ^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-12-20 17:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi 2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi 2025-12-18 10:43 ` Mauro Matteo Cascella 2025-12-19 0:24 ` zhenwei pi 2025-12-20 17:45 ` Michael Tokarev 2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.