qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflow

From: Peter Maydell
Subject: Re: [Qemu-devel] [PATCH for-4.0-maybe] device_tree: Fix integer overflowing in load_device_tree()
Date: Wed, 10 Apr 2019 03:08:28 +0700 
On Wed, 10 Apr 2019 at 00:40, Markus Armbruster <address@hidden> wrote:
>
> If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
> computation of @dt_size overflows to a negative number, which then
> gets converted to a very large size_t for g_malloc0() and
> load_image_size().  In the (fortunately improbable) case g_malloc0()
> succeeds and load_image_size() survives, we'd assign the negative
> number to *sizep.  What that would do to the callers I can't say, but
> it's unlikely to be good.
>
> Fix by rejecting images whose size would overflow.
>
> Signed-off-by: Markus Armbruster <address@hidden>

I think this patch is missing some attributions for the
security researchers who found the issue initially.
PJP's patch for this from a couple of weeks back has a
reported-by credit:
https://patchew.org/QEMU/address@hidden/

thanks
-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]