[PATCH v2 0/2] Avoid QEMU OOM on huge request from guest

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest
@ 2025-12-21  2:43 zhenwei pi
  2025-12-21  2:43 ` [PATCH v2 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-21  2:43 UTC (permalink / raw)
  To: qemu-devel; +Cc: mst, arei.gonglei, mcascell, nakamurajames123, zhenwei pi

From: zhenwei pi <pizhenwei@tensorfer.com>

v2:
- Fix possible overflow
- Append tag "Fixes: CVE-2025-14876" in commit message

v1:
Fix two issues in this series:
- Verify asym request size from device level
- Limit the maximum size for cryptodev builtin driver

zhenwei pi (2):
  hw/virtio/virtio-crypto: verify asym request size
  cryptodev-builtin: Limit the maximum size

 backends/cryptodev-builtin.c | 9 +++------
 hw/virtio/virtio-crypto.c    | 7 +++++++
 2 files changed, 10 insertions(+), 6 deletions(-)

-- 
2.43.0



^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH v2 1/2] hw/virtio/virtio-crypto: verify asym request size
  2025-12-21  2:43 [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
@ 2025-12-21  2:43 ` zhenwei pi
  2025-12-21  2:43 ` [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
  2026-02-05 21:48 ` [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest Michael Tokarev
  2 siblings, 0 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-21  2:43 UTC (permalink / raw)
  To: qemu-devel
  Cc: mst, arei.gonglei, mcascell, nakamurajames123, zhenwei pi,
	zhenwei pi

From: zhenwei pi <pizhenwei@tensorfer.com>

The total lenght of request is limited by cryptodev config, verify it
to avoid unexpected request from guest.

Fixes: CVE-2025-14876
Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
Reported-by: 이재영 <nakamurajames123@gmail.com>
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
---
 hw/virtio/virtio-crypto.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 517f2089c5..b20f299937 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
     uint32_t len;
     uint8_t *src = NULL;
     uint8_t *dst = NULL;
+    uint64_t max_len;
 
     asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
     src_len = ldl_le_p(&req->para.src_data_len);
     dst_len = ldl_le_p(&req->para.dst_data_len);
 
+    max_len = (uint64_t)src_len + dst_len;
+    if (unlikely(max_len > vcrypto->conf.max_size)) {
+        virtio_error(vdev, "virtio-crypto asym request is too large");
+        goto err;
+    }
+
     if (src_len > 0) {
         src = g_malloc0(src_len);
         len = iov_to_buf(iov, out_num, 0, src, src_len);
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
  2025-12-21  2:43 [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
  2025-12-21  2:43 ` [PATCH v2 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
@ 2025-12-21  2:43 ` zhenwei pi
  2025-12-22  1:29   ` Gonglei (Arei)
  2026-02-05 21:48 ` [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest Michael Tokarev
  2 siblings, 1 reply; 6+ messages in thread
From: zhenwei pi @ 2025-12-21  2:43 UTC (permalink / raw)
  To: qemu-devel
  Cc: mst, arei.gonglei, mcascell, nakamurajames123, zhenwei pi,
	zhenwei pi

From: zhenwei pi <pizhenwei@tensorfer.com>

This backend driver is used for demonstration purposes only, unlimited
size leads QEMU OOM.

Fixes: CVE-2025-14876
Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
Reported-by: 이재영 <nakamurajames123@gmail.com>
Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
---
 backends/cryptodev-builtin.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c
index 0414c01e06..55a3fbd27b 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
 
 #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
 #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
+/* demonstration purposes only, use a limited size to avoid QEMU OOM */
+#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
 
 struct CryptoDevBackendBuiltin {
     CryptoDevBackend parent_obj;
@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
                          1u << QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
     backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
     backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
-    /*
-     * Set the Maximum length of crypto request.
-     * Why this value? Just avoid to overflow when
-     * memory allocation for each crypto request.
-     */
-    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
+    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
     backend->conf.max_cipher_key_len = CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
     backend->conf.max_auth_key_len = CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
     cryptodev_builtin_init_akcipher(backend);
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
  2025-12-21  2:43 ` [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
@ 2025-12-22  1:29   ` Gonglei (Arei)
  2025-12-22  9:06     ` zhenwei pi
  0 siblings, 1 reply; 6+ messages in thread
From: Gonglei (Arei) @ 2025-12-22  1:29 UTC (permalink / raw)
  To: zhenwei pi, qemu-devel@nongnu.org
  Cc: mst@redhat.com, mcascell@redhat.com, nakamurajames123@gmail.com,
	zhenwei pi

Hi,

> -----Original Message-----
> From: zhenwei pi <zhenwei.pi@linux.dev>
> Sent: Sunday, December 21, 2025 10:43 AM
> To: qemu-devel@nongnu.org
> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
> mcascell@redhat.com; nakamurajames123@gmail.com; zhenwei pi
> <pizhenwei@tensorfer.com>; zhenwei pi <zhenwei.pi@linux.dev>
> Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
> 
> From: zhenwei pi <pizhenwei@tensorfer.com>
> 
> This backend driver is used for demonstration purposes only, unlimited size leads
> QEMU OOM.
> 
> Fixes: CVE-2025-14876

Actually, I don't think this fix has anything to do with the CVE. You can consider it an improvement.

> Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
> Reported-by: 이재영 <nakamurajames123@gmail.com>
> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
> ---
>  backends/cryptodev-builtin.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
> 
> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index
> 0414c01e06..55a3fbd27b 100644
> --- a/backends/cryptodev-builtin.c
> +++ b/backends/cryptodev-builtin.c
> @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
> 
>  #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
>  #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
> +/* demonstration purposes only, use a limited size to avoid QEMU OOM */
> +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
> 
>  struct CryptoDevBackendBuiltin {
>      CryptoDevBackend parent_obj;
> @@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
>                           1u <<
> QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
>      backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
>      backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
> -    /*
> -     * Set the Maximum length of crypto request.
> -     * Why this value? Just avoid to overflow when
> -     * memory allocation for each crypto request.
> -     */
> -    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
> +    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
>      backend->conf.max_cipher_key_len =
> CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
>      backend->conf.max_auth_key_len =
> CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
>      cryptodev_builtin_init_akcipher(backend);
> --
> 2.43.0


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
  2025-12-22  1:29   ` Gonglei (Arei)
@ 2025-12-22  9:06     ` zhenwei pi
  0 siblings, 0 replies; 6+ messages in thread
From: zhenwei pi @ 2025-12-22  9:06 UTC (permalink / raw)
  To: Gonglei (Arei), qemu-devel@nongnu.org
  Cc: mst@redhat.com, mcascell@redhat.com, nakamurajames123@gmail.com,
	zhenwei pi


On 12/22/25 09:29, Gonglei (Arei) wrote:
> Hi,
> 
>> -----Original Message-----
>> From: zhenwei pi <zhenwei.pi@linux.dev>
>> Sent: Sunday, December 21, 2025 10:43 AM
>> To: qemu-devel@nongnu.org
>> Cc: mst@redhat.com; Gonglei (Arei) <arei.gonglei@huawei.com>;
>> mcascell@redhat.com; nakamurajames123@gmail.com; zhenwei pi
>> <pizhenwei@tensorfer.com>; zhenwei pi <zhenwei.pi@linux.dev>
>> Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size
>>
>> From: zhenwei pi <pizhenwei@tensorfer.com>
>>
>> This backend driver is used for demonstration purposes only, unlimited size leads
>> QEMU OOM.
>>
>> Fixes: CVE-2025-14876
> 
> Actually, I don't think this fix has anything to do with the CVE. You can consider it an improvement.
> 

The original size is almost LONG_MAX, it does not limit memory usage of 
QEMU. So I used to think it was also a part of this CVE.

I also have no objection to removing this tag from here.

>> Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
>> Reported-by: 이재영 <nakamurajames123@gmail.com>
>> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
>> ---
>>   backends/cryptodev-builtin.c | 9 +++------
>>   1 file changed, 3 insertions(+), 6 deletions(-)
>>
>> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index
>> 0414c01e06..55a3fbd27b 100644
>> --- a/backends/cryptodev-builtin.c
>> +++ b/backends/cryptodev-builtin.c
>> @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {
>>
>>   #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
>>   #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
>> +/* demonstration purposes only, use a limited size to avoid QEMU OOM */
>> +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)
>>
>>   struct CryptoDevBackendBuiltin {
>>       CryptoDevBackend parent_obj;
>> @@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
>>                            1u <<
>> QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
>>       backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
>>       backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
>> -    /*
>> -     * Set the Maximum length of crypto request.
>> -     * Why this value? Just avoid to overflow when
>> -     * memory allocation for each crypto request.
>> -     */
>> -    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
>> +    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
>>       backend->conf.max_cipher_key_len =
>> CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
>>       backend->conf.max_auth_key_len =
>> CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
>>       cryptodev_builtin_init_akcipher(backend);
>> --
>> 2.43.0
> 



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest
  2025-12-21  2:43 [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
  2025-12-21  2:43 ` [PATCH v2 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
  2025-12-21  2:43 ` [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
@ 2026-02-05 21:48 ` Michael Tokarev
  2 siblings, 0 replies; 6+ messages in thread
From: Michael Tokarev @ 2026-02-05 21:48 UTC (permalink / raw)
  To: zhenwei pi, qemu-devel
  Cc: mst, arei.gonglei, mcascell, nakamurajames123, zhenwei pi,
	qemu-stable

On 12/21/25 05:43, zhenwei pi wrote:
> From: zhenwei pi <pizhenwei@tensorfer.com>
> 
> v2:
> - Fix possible overflow
> - Append tag "Fixes: CVE-2025-14876" in commit message
> 
> v1:
> Fix two issues in this series:
> - Verify asym request size from device level
> - Limit the maximum size for cryptodev builtin driver
> 
> zhenwei pi (2):
>    hw/virtio/virtio-crypto: verify asym request size
>    cryptodev-builtin: Limit the maximum size
> 
>   backends/cryptodev-builtin.c | 9 +++------
>   hw/virtio/virtio-crypto.c    | 7 +++++++
>   2 files changed, 10 insertions(+), 6 deletions(-)

I'm picking these two patches up for qemu stable releases.
Please let me know if I shouldn't.

Thanks,

/mjt


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-02-05 21:48 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-21  2:43 [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
2025-12-21  2:43 ` [PATCH v2 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
2025-12-21  2:43 ` [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
2025-12-22  1:29   ` Gonglei (Arei)
2025-12-22  9:06     ` zhenwei pi
2026-02-05 21:48 ` [PATCH v2 0/2] Avoid QEMU OOM on huge request from guest Michael Tokarev

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.