From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Cc: alistair.francis@wdc.com, david@gibson.dropbear.id.au,
peter.maydell@linaro.org, slp@redhat.com
Subject: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Tue, 9 Apr 2019 19:40:18 +0200 [thread overview]
Message-ID: <20190409174018.25798-1-armbru@redhat.com> (raw)
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
device_tree.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/device_tree.c b/device_tree.c
index 296278e12a..f8b46b3c73 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
filename_path);
goto fail;
}
+ if (dt_size > INT_MAX / 2 - 10000) {
+ error_report("Device tree file '%s' is too large", filename_path);
+ goto fail;
+ }
/* Expand to 2x size to give enough room for manipulation. */
dt_size += 10000;
--
2.17.2
WARNING: multiple messages have this Message-ID (diff)
From: Markus Armbruster <armbru@redhat.com>
To: qemu-devel@nongnu.org
Cc: peter.maydell@linaro.org, alistair.francis@wdc.com,
slp@redhat.com, david@gibson.dropbear.id.au
Subject: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Tue, 9 Apr 2019 19:40:18 +0200 [thread overview]
Message-ID: <20190409174018.25798-1-armbru@redhat.com> (raw)
Message-ID: <20190409174018.XhVo-wpDMF00Y0rKXCEybvA1GON-SZWWuqRfpdYPWxw@z> (raw)
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
---
device_tree.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/device_tree.c b/device_tree.c
index 296278e12a..f8b46b3c73 100644
--- a/device_tree.c
+++ b/device_tree.c
@@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
filename_path);
goto fail;
}
+ if (dt_size > INT_MAX / 2 - 10000) {
+ error_report("Device tree file '%s' is too large", filename_path);
+ goto fail;
+ }
/* Expand to 2x size to give enough room for manipulation. */
dt_size += 10000;
--
2.17.2
next reply other threads:[~2019-04-09 17:40 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 17:40 Markus Armbruster [this message]
2019-04-09 17:40 ` [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree() Markus Armbruster
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-10 0:29 ` David Gibson
2019-04-10 0:29 ` David Gibson
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 6:34 ` Alistair Francis
2019-04-10 6:34 ` Alistair Francis
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-11 4:31 ` Markus Armbruster
2019-04-11 4:31 ` Markus Armbruster
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:28 ` Peter Maydell
2019-04-09 20:28 ` Peter Maydell
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:25 ` Philippe Mathieu-Daudé
2019-04-10 5:25 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190409174018.25798-1-armbru@redhat.com \
--to=armbru@redhat.com \
--cc=alistair.francis@wdc.com \
--cc=david@gibson.dropbear.id.au \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=slp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).