Re: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size

Mon, 22 Dec 2025 01:08:00 -0800 


On 12/22/25 09:29, Gonglei (Arei) wrote:

Hi,


-----Original Message-----
From: zhenwei pi <[email protected]>
Sent: Sunday, December 21, 2025 10:43 AM
To: [email protected]
Cc: [email protected]; Gonglei (Arei) <[email protected]>;
[email protected]; [email protected]; zhenwei pi
<[email protected]>; zhenwei pi <[email protected]>
Subject: [PATCH v2 2/2] cryptodev-builtin: Limit the maximum size

From: zhenwei pi <[email protected]>

This backend driver is used for demonstration purposes only, unlimited size 
leads
QEMU OOM.

Fixes: CVE-2025-14876


Actually, I don't think this fix has anything to do with the CVE. You can 
consider it an improvement.




The original size is almost LONG_MAX, it does not limit memory usage of 
QEMU. So I used to think it was also a part of this CVE.


I also have no objection to removing this tag from here.


Fixes: 1653a5f3fc7 ("cryptodev: introduce a new cryptodev backend")
Reported-by: 이재영 <[email protected]>
Signed-off-by: zhenwei pi <[email protected]>
---
  backends/cryptodev-builtin.c | 9 +++------
  1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/backends/cryptodev-builtin.c b/backends/cryptodev-builtin.c index
0414c01e06..55a3fbd27b 100644
--- a/backends/cryptodev-builtin.c
+++ b/backends/cryptodev-builtin.c
@@ -53,6 +53,8 @@ typedef struct CryptoDevBackendBuiltinSession {

  #define CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN    512
  #define CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN  64
+/* demonstration purposes only, use a limited size to avoid QEMU OOM */
+#define CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE  (1024 * 1024)

  struct CryptoDevBackendBuiltin {
      CryptoDevBackend parent_obj;
@@ -98,12 +100,7 @@ static void cryptodev_builtin_init(
                           1u <<
QCRYPTODEV_BACKEND_SERVICE_TYPE_MAC;
      backend->conf.cipher_algo_l = 1u << VIRTIO_CRYPTO_CIPHER_AES_CBC;
      backend->conf.hash_algo = 1u << VIRTIO_CRYPTO_HASH_SHA1;
-    /*
-     * Set the Maximum length of crypto request.
-     * Why this value? Just avoid to overflow when
-     * memory allocation for each crypto request.
-     */
-    backend->conf.max_size = LONG_MAX - sizeof(CryptoDevBackendOpInfo);
+    backend->conf.max_size = CRYPTODEV_BUITLIN_MAX_REQUEST_SIZE;
      backend->conf.max_cipher_key_len =
CRYPTODEV_BUITLIN_MAX_CIPHER_KEY_LEN;
      backend->conf.max_auth_key_len =
CRYPTODEV_BUITLIN_MAX_AUTH_KEY_LEN;
      cryptodev_builtin_init_akcipher(backend);
--
2.43.0



























					Reply via email to