From: Alistair Francis <alistair23@gmail.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: Markus Armbruster <armbru@redhat.com>,
Alistair Francis <alistair.francis@wdc.com>,
QEMU Developers <qemu-devel@nongnu.org>,
Sergio Lopez <slp@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Tue, 9 Apr 2019 13:13:48 -0700 [thread overview]
Message-ID: <CAKmqyKNAT6a+a6MyhSh7RErUOyCPnEv-RKM4S-j12GS9dUMTYw@mail.gmail.com> (raw)
In-Reply-To: <CAFEAcA8xg7wc+fX9Rn_F+L2jS0OzEwRcfjt==R5-YR6iphV=NA@mail.gmail.com>
On Tue, Apr 9, 2019 at 1:08 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <armbru@redhat.com> wrote:
> >
> > If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> > computation of @dt_size overflows to a negative number, which then
> > gets converted to a very large size_t for g_malloc0() and
> > load_image_size(). In the (fortunately improbable) case g_malloc0()
> > succeeds and load_image_size() survives, we'd assign the negative
> > number to *sizep. What that would do to the callers I can't say, but
> > it's unlikely to be good.
> >
> > Fix by rejecting images whose size would overflow.
> >
> > Signed-off-by: Markus Armbruster <armbru@redhat.com>
>
> I think this patch is missing some attributions for the
> security researchers who found the issue initially.
> PJP's patch for this from a couple of weeks back has a
> reported-by credit:
> https://patchew.org/QEMU/20190322073555.20889-1-ppandit@redhat.com/
It seems like from that discussion that this patch is the correct approach.
I can add the attributions and send a PR for 4.0. I'll send it by EOD
unless anyone has any objections.
Alistair
>
> thanks
> -- PMM
>
WARNING: multiple messages have this Message-ID (diff)
From: Alistair Francis <alistair23@gmail.com>
To: Peter Maydell <peter.maydell@linaro.org>
Cc: David Gibson <david@gibson.dropbear.id.au>,
Alistair Francis <alistair.francis@wdc.com>,
Markus Armbruster <armbru@redhat.com>,
Sergio Lopez <slp@redhat.com>,
QEMU Developers <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Tue, 9 Apr 2019 13:13:48 -0700 [thread overview]
Message-ID: <CAKmqyKNAT6a+a6MyhSh7RErUOyCPnEv-RKM4S-j12GS9dUMTYw@mail.gmail.com> (raw)
Message-ID: <20190409201348.RS2C6wJkxXapy3kqc4xJfHvvqd4xUJtBHX9J_-tb958@z> (raw)
In-Reply-To: <CAFEAcA8xg7wc+fX9Rn_F+L2jS0OzEwRcfjt==R5-YR6iphV=NA@mail.gmail.com>
On Tue, Apr 9, 2019 at 1:08 PM Peter Maydell <peter.maydell@linaro.org> wrote:
>
> On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <armbru@redhat.com> wrote:
> >
> > If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> > computation of @dt_size overflows to a negative number, which then
> > gets converted to a very large size_t for g_malloc0() and
> > load_image_size(). In the (fortunately improbable) case g_malloc0()
> > succeeds and load_image_size() survives, we'd assign the negative
> > number to *sizep. What that would do to the callers I can't say, but
> > it's unlikely to be good.
> >
> > Fix by rejecting images whose size would overflow.
> >
> > Signed-off-by: Markus Armbruster <armbru@redhat.com>
>
> I think this patch is missing some attributions for the
> security researchers who found the issue initially.
> PJP's patch for this from a couple of weeks back has a
> reported-by credit:
> https://patchew.org/QEMU/20190322073555.20889-1-ppandit@redhat.com/
It seems like from that discussion that this patch is the correct approach.
I can add the attributions and send a PR for 4.0. I'll send it by EOD
unless anyone has any objections.
Alistair
>
> thanks
> -- PMM
>
next prev parent reply other threads:[~2019-04-09 20:15 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 17:40 [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree() Markus Armbruster
2019-04-09 17:40 ` Markus Armbruster
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-10 0:29 ` David Gibson
2019-04-10 0:29 ` David Gibson
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 6:34 ` Alistair Francis
2019-04-10 6:34 ` Alistair Francis
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-11 4:31 ` Markus Armbruster
2019-04-11 4:31 ` Markus Armbruster
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:13 ` Alistair Francis [this message]
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:28 ` Peter Maydell
2019-04-09 20:28 ` Peter Maydell
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:25 ` Philippe Mathieu-Daudé
2019-04-10 5:25 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKmqyKNAT6a+a6MyhSh7RErUOyCPnEv-RKM4S-j12GS9dUMTYw@mail.gmail.com \
--to=alistair23@gmail.com \
--cc=alistair.francis@wdc.com \
--cc=armbru@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=slp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).