From: "Michael S. Tsirkin" <mst@redhat.com>
To: zhenwei pi <pizhenwei@bytedance.com>
Cc: arei.gonglei@huawei.com, jasowang@redhat.com,
herbert@gondor.apana.org.au, xuanzhuo@linux.alibaba.com,
virtualization@lists.linux.dev, nathan@kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
davem@davemloft.net
Subject: Re: [PATCH] crypto: virtio/akcipher - Fix stack overflow on memcpy
Date: Wed, 31 Jan 2024 17:36:45 -0500 [thread overview]
Message-ID: <20240131173615-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20240130112740.882183-1-pizhenwei@bytedance.com>
On Tue, Jan 30, 2024 at 07:27:40PM +0800, zhenwei pi wrote:
> sizeof(struct virtio_crypto_akcipher_session_para) is less than
> sizeof(struct virtio_crypto_op_ctrl_req::u), copying more bytes from
> stack variable leads stack overflow. Clang reports this issue by
> commands:
> make -j CC=clang-14 mrproper >/dev/null 2>&1
> make -j O=/tmp/crypto-build CC=clang-14 allmodconfig >/dev/null 2>&1
> make -j O=/tmp/crypto-build W=1 CC=clang-14 drivers/crypto/virtio/
> virtio_crypto_akcipher_algs.o
>
> Fixes: 59ca6c93387d ("virtio-crypto: implement RSA algorithm")
> Link: https://lore.kernel.org/all/0a194a79-e3a3-45e7-be98-83abd3e1cb7e@roeck-us.net/
> Signed-off-by: zhenwei pi <pizhenwei@bytedance.com>
Cc: stable@vger.kernel.org
Acked-by: Michael S. Tsirkin <mst@redhat.com>
> ---
> drivers/crypto/virtio/virtio_crypto_akcipher_algs.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> index 2621ff8a9376..de53eddf6796 100644
> --- a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> +++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> @@ -104,7 +104,8 @@ static void virtio_crypto_dataq_akcipher_callback(struct virtio_crypto_request *
> }
>
> static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher_ctx *ctx,
> - struct virtio_crypto_ctrl_header *header, void *para,
> + struct virtio_crypto_ctrl_header *header,
> + struct virtio_crypto_akcipher_session_para *para,
> const uint8_t *key, unsigned int keylen)
> {
> struct scatterlist outhdr_sg, key_sg, inhdr_sg, *sgs[3];
> @@ -128,7 +129,7 @@ static int virtio_crypto_alg_akcipher_init_session(struct virtio_crypto_akcipher
>
> ctrl = &vc_ctrl_req->ctrl;
> memcpy(&ctrl->header, header, sizeof(ctrl->header));
> - memcpy(&ctrl->u, para, sizeof(ctrl->u));
> + memcpy(&ctrl->u.akcipher_create_session.para, para, sizeof(*para));
> input = &vc_ctrl_req->input;
> input->status = cpu_to_le32(VIRTIO_CRYPTO_ERR);
>
> --
> 2.34.1
next prev parent reply other threads:[~2024-01-31 22:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-30 11:27 [PATCH] crypto: virtio/akcipher - Fix stack overflow on memcpy zhenwei pi
2024-01-31 19:10 ` Nathan Chancellor
2024-01-31 22:36 ` Michael S. Tsirkin [this message]
2024-02-01 5:49 ` Jason Wang
2024-02-09 5:00 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240131173615-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=arei.gonglei@huawei.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jasowang@redhat.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=pizhenwei@bytedance.com \
--cc=virtualization@lists.linux.dev \
--cc=xuanzhuo@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).