From: zhenwei pi <zhenwei.pi@linux.dev>
To: Mauro Matteo Cascella <mcascell@redhat.com>
Cc: qemu-devel@nongnu.org, mst@redhat.com, arei.gonglei@huawei.com,
nakamurajames123@gmail.com, qemu-security@nongnu.org
Subject: Re: [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size
Date: Fri, 19 Dec 2025 08:24:59 +0800 [thread overview]
Message-ID: <4afaf7a0-b7c6-4bf9-bcf3-875f2f633464@linux.dev> (raw)
In-Reply-To: <CAA8xKjUd3kW6gAsoUTEjdK-A1=4Y+dR0ywB=iFMf_hYZGEAQhA@mail.gmail.com>
On 12/18/25 18:43, Mauro Matteo Cascella wrote:
> On Sun, Dec 14, 2025 at 10:19 AM zhenwei pi <zhenwei.pi@linux.dev> wrote:
>>
>> The total lenght of request is limited by cryptodev config, verify it
>> to avoid unexpected request from guest.
>
> CVE-2025-14876 has been assigned to this bug.
>
> Thanks,
>
OK, I suggest the two patches are tagged with this CVE. This root reason
of this issue:
- the lack of limitation from hw akcipher (this fix)
- so huge limitation (almost LONG_MAX bytes) from backend builtin driver
(the next fix)
>> Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
>> Reported-by: AM 이재영 <nakamurajames123@gmail.com>
>> Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
>> ---
>> hw/virtio/virtio-crypto.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
>> index 517f2089c5..94dbf9d92d 100644
>> --- a/hw/virtio/virtio-crypto.c
>> +++ b/hw/virtio/virtio-crypto.c
>> @@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
>> uint32_t len;
>> uint8_t *src = NULL;
>> uint8_t *dst = NULL;
>> + uint64_t max_len;
>>
>> asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
>> src_len = ldl_le_p(&req->para.src_data_len);
>> dst_len = ldl_le_p(&req->para.dst_data_len);
>>
>> + max_len = src_len + dst_len;
>> + if (unlikely(max_len > vcrypto->conf.max_size)) {
>> + virtio_error(vdev, "virtio-crypto asym too big length");
>> + goto err;
>> + }
>> +
>> if (src_len > 0) {
>> src = g_malloc0(src_len);
>> len = iov_to_buf(iov, out_num, 0, src, src_len);
>> --
>> 2.43.0
>>
>
>
next prev parent reply other threads:[~2025-12-19 0:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-14 9:09 [PATCH 0/2] Avoid QEMU OOM on huge request from guest zhenwei pi
2025-12-14 9:09 ` [PATCH 1/2] hw/virtio/virtio-crypto: verify asym request size zhenwei pi
2025-12-18 10:43 ` Mauro Matteo Cascella
2025-12-19 0:24 ` zhenwei pi [this message]
2025-12-20 17:45 ` Michael Tokarev
2025-12-14 9:09 ` [PATCH 2/2] cryptodev-builtin: Limit the maximum size zhenwei pi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4afaf7a0-b7c6-4bf9-bcf3-875f2f633464@linux.dev \
--to=zhenwei.pi@linux.dev \
--cc=arei.gonglei@huawei.com \
--cc=mcascell@redhat.com \
--cc=mst@redhat.com \
--cc=nakamurajames123@gmail.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-security@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.