From: Peter Maydell <peter.maydell@linaro.org>
To: Markus Armbruster <armbru@redhat.com>
Cc: QEMU Developers <qemu-devel@nongnu.org>,
Alistair Francis <alistair.francis@wdc.com>,
David Gibson <david@gibson.dropbear.id.au>,
Peter Maydell <peter.maydell@linaro.org>,
Sergio Lopez <slp@redhat.com>
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Wed, 10 Apr 2019 03:08:28 +0700 [thread overview]
Message-ID: <CAFEAcA8xg7wc+fX9Rn_F+L2jS0OzEwRcfjt==R5-YR6iphV=NA@mail.gmail.com> (raw)
In-Reply-To: <20190409174018.25798-1-armbru@redhat.com>
On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <armbru@redhat.com> wrote:
>
> If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> computation of @dt_size overflows to a negative number, which then
> gets converted to a very large size_t for g_malloc0() and
> load_image_size(). In the (fortunately improbable) case g_malloc0()
> succeeds and load_image_size() survives, we'd assign the negative
> number to *sizep. What that would do to the callers I can't say, but
> it's unlikely to be good.
>
> Fix by rejecting images whose size would overflow.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
I think this patch is missing some attributions for the
security researchers who found the issue initially.
PJP's patch for this from a couple of weeks back has a
reported-by credit:
https://patchew.org/QEMU/20190322073555.20889-1-ppandit@redhat.com/
thanks
-- PMM
WARNING: multiple messages have this Message-ID (diff)
From: Peter Maydell <peter.maydell@linaro.org>
To: Markus Armbruster <armbru@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Alistair Francis <alistair.francis@wdc.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Sergio Lopez <slp@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Wed, 10 Apr 2019 03:08:28 +0700 [thread overview]
Message-ID: <CAFEAcA8xg7wc+fX9Rn_F+L2jS0OzEwRcfjt==R5-YR6iphV=NA@mail.gmail.com> (raw)
Message-ID: <20190409200828.8M0YgeEzrEZw8kJlNZivu_qudQBarjQRQW964icWi1c@z> (raw)
In-Reply-To: <20190409174018.25798-1-armbru@redhat.com>
On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <armbru@redhat.com> wrote:
>
> If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> computation of @dt_size overflows to a negative number, which then
> gets converted to a very large size_t for g_malloc0() and
> load_image_size(). In the (fortunately improbable) case g_malloc0()
> succeeds and load_image_size() survives, we'd assign the negative
> number to *sizep. What that would do to the callers I can't say, but
> it's unlikely to be good.
>
> Fix by rejecting images whose size would overflow.
>
> Signed-off-by: Markus Armbruster <armbru@redhat.com>
I think this patch is missing some attributions for the
security researchers who found the issue initially.
PJP's patch for this from a couple of weeks back has a
reported-by credit:
https://patchew.org/QEMU/20190322073555.20889-1-ppandit@redhat.com/
thanks
-- PMM
next prev parent reply other threads:[~2019-04-09 20:08 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 17:40 [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree() Markus Armbruster
2019-04-09 17:40 ` Markus Armbruster
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-10 0:29 ` David Gibson
2019-04-10 0:29 ` David Gibson
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 6:34 ` Alistair Francis
2019-04-10 6:34 ` Alistair Francis
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-11 4:31 ` Markus Armbruster
2019-04-11 4:31 ` Markus Armbruster
2019-04-09 20:08 ` Peter Maydell [this message]
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:28 ` Peter Maydell
2019-04-09 20:28 ` Peter Maydell
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:25 ` Philippe Mathieu-Daudé
2019-04-10 5:25 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFEAcA8xg7wc+fX9Rn_F+L2jS0OzEwRcfjt==R5-YR6iphV=NA@mail.gmail.com' \
--to=peter.maydell@linaro.org \
--cc=alistair.francis@wdc.com \
--cc=armbru@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=qemu-devel@nongnu.org \
--cc=slp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).