summary refs log tree commit diff
path: root/gnu/packages/patches/qemu-CVE-2017-5931.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/qemu-CVE-2017-5931.patch')
-rw-r--r--gnu/packages/patches/qemu-CVE-2017-5931.patch55
1 files changed, 0 insertions, 55 deletions
diff --git a/gnu/packages/patches/qemu-CVE-2017-5931.patch b/gnu/packages/patches/qemu-CVE-2017-5931.patch
deleted file mode 100644
index 08910e5fac..0000000000
--- a/gnu/packages/patches/qemu-CVE-2017-5931.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-Fix CVE-2017-5931 (integer overflow in handling virtio-crypto requests):
-
-http://seclists.org/oss-sec/2017/q1/337
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5931
-
-Patch copied from upstream source repository:
-
-http://git.qemu-project.org/?p=qemu.git;a=commit;h=a08aaff811fb194950f79711d2afe5a892ae03a4
-
-From a08aaff811fb194950f79711d2afe5a892ae03a4 Mon Sep 17 00:00:00 2001
-From: Gonglei <arei.gonglei@huawei.com>
-Date: Tue, 3 Jan 2017 14:50:03 +0800
-Subject: [PATCH] virtio-crypto: fix possible integer and heap overflow
-
-Because the 'size_t' type is 4 bytes in 32-bit platform, which
-is the same with 'int'. It's easy to make 'max_len' to zero when
-integer overflow and then cause heap overflow if 'max_len' is zero.
-
-Using uint_64 instead of size_t to avoid the integer overflow.
-
-Cc: qemu-stable@nongnu.org
-Reported-by: Li Qiang <liqiang6-s@360.cn>
-Signed-off-by: Gonglei <arei.gonglei@huawei.com>
-Tested-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
-Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
----
- hw/virtio/virtio-crypto.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
-index 2f2467e859..c23e1ad458 100644
---- a/hw/virtio/virtio-crypto.c
-+++ b/hw/virtio/virtio-crypto.c
-@@ -416,7 +416,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-     uint32_t hash_start_src_offset = 0, len_to_hash = 0;
-     uint32_t cipher_start_src_offset = 0, len_to_cipher = 0;
- 
--    size_t max_len, curr_size = 0;
-+    uint64_t max_len, curr_size = 0;
-     size_t s;
- 
-     /* Plain cipher */
-@@ -441,7 +441,7 @@ virtio_crypto_sym_op_helper(VirtIODevice *vdev,
-         return NULL;
-     }
- 
--    max_len = iv_len + aad_len + src_len + dst_len + hash_result_len;
-+    max_len = (uint64_t)iv_len + aad_len + src_len + dst_len + hash_result_len;
-     if (unlikely(max_len > vcrypto->conf.max_size)) {
-         virtio_error(vdev, "virtio-crypto too big length");
-         return NULL;
--- 
-2.11.1
-