From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 93261E6748D for ; Mon, 22 Dec 2025 09:07:34 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vXbsO-0005BO-OV; Mon, 22 Dec 2025 04:06:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vXbsM-0005BC-4h for qemu-devel@nongnu.org; Mon, 22 Dec 2025 04:06:47 -0500 Received: from out-182.mta1.migadu.com ([2001:41d0:203:375::b6]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vXbsJ-0000ZA-Fd for qemu-devel@nongnu.org; Mon, 22 Dec 2025 04:06:45 -0500 Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1766394386; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SHIgXzsvjceMpa8uDRWLkLvzBUEwULXuemiZBfH1eok=; b=Ywudojjt8Q+1guPS0F9+NDIQKKPtHEDXEeTG3PIaDR0G7Rf/IqMfiuG6ng3j6TBZnIJNls eP98aLjeeGzw/t8zDWtWxx1mLsBpxsEfnX1fzo94V9Sx3YyMeeXyWaZr+L4jh6DQMpd/y7 7cF9SRZ08VS1flSaDiNcR5yJ6wvGqxI= Date: Mon, 22 Dec 2025 17:06:16 +0800 MIME-Version: 1.0 Subject: Re: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size To: "Gonglei (Arei)" , "qemu-devel@nongnu.org" Cc: "mst@redhat.com" , "mcascell@redhat.com" , "nakamurajames123@gmail.com" , zhenwei pi References: <20251221024321.143196-1-zhenwei.pi@linux.dev> <20251221024321.143196-3-zhenwei.pi@linux.dev> <60bb168c3ffb4eaba31c7699750c9625@huawei.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: zhenwei pi In-Reply-To: <60bb168c3ffb4eaba31c7699750c9625@huawei.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT Received-SPF: pass client-ip=2001:41d0:203:375::b6; envelope-from=zhenwei.pi@linux.dev; helo=out-182.mta1.migadu.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On 12/22/25 09:29, Gonglei (Arei) wrote: > Hi, > >> -----Original Message----- >> From: zhenwei pi >> Sent: Sunday, December 21, 2025 10:43 AM >> To: qemu-devel@nongnu.org >> Cc: mst@redhat.com; Gonglei (Arei) ; >> mcascell@redhat.com; nakamurajames123@gmail.com; zhenwei pi >> ; zhenwei pi >> Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size >> >> From: zhenwei pi >> >> This backend driver is used for demonstration purposes only, unlimited size leads >> QEMU OOM. >> >> Fixes: CVE-2025-14876 > > Actually, I don't think this fix has anything to do with the CVE. You can consider it an improvement. > The original size is almost LONG_MAX, it does not limit memory usage of QEMU. So I used to think it was also a part of this CVE. I also have no objection to removing this tag from here. >> Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend") >> Reported-by: 이재영 >> Signed-off-by: zhenwei pi >> --- >> backends/cryptodev-builtin.c | 9 +++------ >> 1 file changed, 3 insertions(+), 6 deletions(-) >> >> diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index >> 0414c01e06..55a3fbd27b 100644 >> --- a/backends/cryptodev-builtin.c >> +++ b/backends/cryptodev-builtin.c >> @@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession { >> >> #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN 512 >> #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN 64 >> +/* demonstration purposes only, use a limited size to avoid QEMU OOM */ >> +#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE (1024 * 1024) >> >> struct CryptoDevBackendBuiltin { >> CryptoDevBackend parent_obj; >> @@ -98,12 +100,7 @@ static void cryptodev_builtin_init( >> 1u << >> QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC; >> backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC; >> backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1; >> - /* >> - * Set the Maximum length of crypto request. >> - * Why this value? Just avoid to overflow when >> - * memory allocation for each crypto request. >> - */ >> - backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo); >> + backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE; >> backend->conf.max_cipher_key_len = >> CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN; >> backend->conf.max_auth_key_len = >> CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN; >> cryptodev_builtin_init_akcipher(backend); >> -- >> 2.43.0 >