qemu-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflow


From: Alistair Francis
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Tue, 9 Apr 2019 13:13:48 -0700

On Tue, Apr 9, 2019 at 1:08 PM Peter Maydell <address@hidden> wrote:
>
> On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <address@hidden> wrote:
> >
> > If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> > computation of @dt_size overflows to a negative number, which then
> > gets converted to a very large size_t for g_malloc0() and
> > load_image_size().  In the (fortunately improbable) case g_malloc0()
> > succeeds and load_image_size() survives, we'd assign the negative
> > number to *sizep.  What that would do to the callers I can't say, but
> > it's unlikely to be good.
> >
> > Fix by rejecting images whose size would overflow.
> >
> > Signed-off-by: Markus Armbruster <address@hidden>
>
> I think this patch is missing some attributions for the
> security researchers who found the issue initially.
> PJP's patch for this from a couple of weeks back has a
> reported-by credit:
> https://patchew.org/QEMU/address@hidden/

It seems like from that discussion that this patch is the correct approach.

I can add the attributions and send a PR for 4.0. I'll send it by EOD
unless anyone has any objections.

Alistair

>
> thanks
> -- PMM
>



reply via email to

[Prev in Thread] Current Thread [Next in Thread]