diff options
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-5931.patch')
| -rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-5931.patch | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch deleted file mode 100644 index 08910e5fac..0000000000 --- a/gnu/packages/patches/qemu-CVE-2017-5931.patch +++ /dev/null @@ -1,55 +0,0 @@ -Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests): - -http://seclists.org/oss-sec/2017/q1/337 -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931 - -Patch copied from upstream source repository: - -http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4 - -From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001 -From: Gonglei <arei.gonglei@huawei.com> -Date: Tue, 3 Jan 2017 14:50:03 +0800 -Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow - -Because the 'size_t' type is 4 bytes in 32-bit platform, which -is the same with 'int'. It's easy to make 'max_len' to zero when -integer overflow and then cause heap overflow if 'max_len' is zero. - -Using uint_64 instead of size_t to avoid the integer overflow. - -Cc: qemu-stable@nongnu.org -Reported-by: Li Qiang <liqiang6-s@360.cn> -Signed-off-by: Gonglei <arei.gonglei@huawei.com> -Tested-by: Li Qiang <liqiang6-s@360.cn> -Reviewed-by: Michael S. Tsirkin <mst@redhat.com> -Signed-off-by: Michael S. Tsirkin <mst@redhat.com> ---- - hw/virtio/virtio-crypto.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c -index 2f2467e859..c23e1ad458 100644 ---- a/hw/virtio/virtio-crypto.c -+++ b/hw/virtio/virtio-crypto.c -@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - uint32_t hash_start_src_offset = 0, len_to_hash = 0; - uint32_t cipher_start_src_offset = 0, len_to_cipher = 0; - -- size_t max_len, curr_size = 0; -+ uint64_t max_len, curr_size = 0; - size_t s; - - /* Plain cipher */ -@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev, - return NULL; - } - -- max_len = iv_len + aad_len + src_len + dst_len + hash_result_len; -+ max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len; - if (unlikely(max_len > vcrypto->conf.max_size)) { - virtio_error(vdev, "virtio-crypto too big length"); - return NULL; --- -2.11.1 - |