On 12/14/25 12:09, zhenwei pi wrote:
The total lenght of request is limited by cryptodev config, verify it
to avoid unexpected request from guest.
Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
Reported-by: AM 이재영 <[email protected]>
Signed-off-by: zhenwei pi <[email protected]>
---
hw/virtio/virtio-crypto.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index 517f2089c5..94dbf9d92d 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
uint32_t len;
uint8_t *src = NULL;
uint8_t *dst = NULL;
+ uint64_t max_len;
asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
src_len = ldl_le_p(&req->para.src_data_len);
dst_len = ldl_le_p(&req->para.dst_data_len);
+ max_len = src_len + dst_len;
I believe this can be overflown when calculating the sum, while
both args are uint32_t.
max_len = (uint64_t)src_len + dst_len;
might be better. This is what's used in other places in this
file too.
I wonder if modern compilers can warn about such overflow
possibilities, and what's the better way to write such
expressions. Something like
max_len = src_len; max_len += dst_len
maybe? :)
+ if (unlikely(max_len > vcrypto->conf.max_size)) {
+ virtio_error(vdev, "virtio-crypto asym too big length");
"virtio-crypto asym request is too large" ?
Thanks,
/mjt
