From: "Philippe Mathieu-Daudé" <philmd@redhat.com>
To: Alistair Francis <alistair23@gmail.com>,
Markus Armbruster <armbru@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Alistair Francis <alistair.francis@wdc.com>,
"qemu-devel@nongnu.org Developers" <qemu-devel@nongnu.org>,
Sergio Lopez <slp@redhat.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Wed, 10 Apr 2019 17:47:44 +0200 [thread overview]
Message-ID: <b73bbac0-a501-0004-5a41-748e2b23ab13@redhat.com> (raw)
In-Reply-To: <CAKmqyKM7fX6UqSU5K+w25xGxO2K4kqtyoRz7LMFN7GtBYL56KA@mail.gmail.com>
On 4/10/19 8:34 AM, Alistair Francis wrote:
> On Tue, Apr 9, 2019 at 10:59 PM Markus Armbruster <armbru@redhat.com> wrote:
>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>> On 4/10/19 7:28 AM, Markus Armbruster wrote:
>>>> Philippe Mathieu-Daudé <philmd@redhat.com> writes:
>>>>> On 4/9/19 7:40 PM, Markus Armbruster wrote:
>>>>>> If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
>>>>>> computation of @dt_size overflows to a negative number, which then
>>>>>> gets converted to a very large size_t for g_malloc0() and
>>>>>> load_image_size(). In the (fortunately improbable) case g_malloc0()
>>>>>> succeeds and load_image_size() survives, we'd assign the negative
>>>>>> number to *sizep. What that would do to the callers I can't say, but
>>>>>> it's unlikely to be good.
>>>>>>
>>>>>> Fix by rejecting images whose size would overflow.
>>>>>>
>>>>>> Signed-off-by: Markus Armbruster <armbru@redhat.com>
>>>>>> ---
>>>>>> device_tree.c | 4 ++++
>>>>>> 1 file changed, 4 insertions(+)
>>>>>>
>>>>>> diff --git a/device_tree.c b/device_tree.c
>>>>>> index 296278e12a..f8b46b3c73 100644
>>>>>> --- a/device_tree.c
>>>>>> +++ b/device_tree.c
>>>>>> @@ -84,6 +84,10 @@ void *load_device_tree(const char *filename_path, int *sizep)
>>>>>> filename_path);
>>>>>> goto fail;
>>>>>> }
>>>>>> + if (dt_size > INT_MAX / 2 - 10000) {
>>>>>
>>>>> We should avoid magic number duplication.
>>>>> That said, this patch looks safe.
>>>>>
>>>>> Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
>>>>
>>>> Thanks!
>>>>
>>>>> BTW how did you figure that out?
>>>>
>>>> Downstream handling of upstream commit da885fe1ee8 led me to the
>>>> function. I spotted dt_size = get_image_size(filename_path).
>>>> Experience has taught me to check the left hand side's type. Bad. Then
>>>> I saw how dt_size gets increased. Worse.
>>>
>>> So you genuinely neglected to mention Kurtis Miller then :)
>>
>> Explanation, not excuse: the only occurence of the name in my downstream
>> reading was a two-liner BZ comment, which I totally missed in my haste
>> to give the fix a chance to make 4.0. I certainly didn't mean to
>> deprive him of credit!
My English teacher explained me neglected sounds like a
reprimand/reproach (as in negligence), sorry I didn't mean to be rude
here, I wanted to say something like "Peter remarked you did gave
credits to the first one who reported this issue, but since you figured
this bug via your own way, the omission was not intentional then."
> No worries. I have sent the pull request and it includes the reported by.
>
> Alistair
>
>>
>> [...]
>>
next prev parent reply other threads:[~2019-04-10 15:47 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-09 17:40 [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree() Markus Armbruster
2019-04-09 17:40 ` Markus Armbruster
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-09 18:59 ` Philippe Mathieu-Daudé
2019-04-10 0:29 ` David Gibson
2019-04-10 0:29 ` David Gibson
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:28 ` Markus Armbruster
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:44 ` Philippe Mathieu-Daudé
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 5:59 ` Markus Armbruster
2019-04-10 6:34 ` Alistair Francis
2019-04-10 6:34 ` Alistair Francis
2019-04-10 15:47 ` Philippe Mathieu-Daudé [this message]
2019-04-10 15:47 ` Philippe Mathieu-Daudé
2019-04-11 4:31 ` Markus Armbruster
2019-04-11 4:31 ` Markus Armbruster
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:08 ` Peter Maydell
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:13 ` Alistair Francis
2019-04-09 20:28 ` Peter Maydell
2019-04-09 20:28 ` Peter Maydell
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:30 ` Markus Armbruster
2019-04-10 5:25 ` Philippe Mathieu-Daudé
2019-04-10 5:25 ` Philippe Mathieu-Daudé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b73bbac0-a501-0004-5a41-748e2b23ab13@redhat.com \
--to=philmd@redhat.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=armbru@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=slp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).