Dev news

Commit 91c6438caf for qemu.org

commit 91c6438caffc880e999a7312825479685d659b44
Author: zhenwei pi <pizhenwei@tensorfer.com>
Date:   Sun Dec 21 10:43:20 2025 +0800

    hw/virtio/virtio-crypto: verify asym request size

    The total lenght of request is limited by cryptodev config, verify it
    to avoid unexpected request from guest.

    Fixes: CVE-2025-14876
    Fixes: 0e660a6f90a ("crypto: Introduce RSA algorithm")
    Reported-by: 이재영 <nakamurajames123@gmail.com>
    Signed-off-by: zhenwei pi <zhenwei.pi@linux.dev>
    Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Message-Id: <20251221024321.143196-2-zhenwei.pi@linux.dev>

diff --git a/hw/virtio/virtio-crypto.c b/hw/virtio/virtio-crypto.c
index cbd1810fbc..6fceb39681 100644
--- a/hw/virtio/virtio-crypto.c
+++ b/hw/virtio/virtio-crypto.c
@@ -767,11 +767,18 @@ virtio_crypto_handle_asym_req(VirtIOCrypto *vcrypto,
     uint32_t len;
     uint8_t *src = NULL;
     uint8_t *dst = NULL;
+    uint64_t max_len;

     asym_op_info = g_new0(CryptoDevBackendAsymOpInfo, 1);
     src_len = ldl_le_p(&req->para.src_data_len);
     dst_len = ldl_le_p(&req->para.dst_data_len);

+    max_len = (uint64_t)src_len + dst_len;
+    if (unlikely(max_len > vcrypto->conf.max_size)) {
+        virtio_error(vdev, "virtio-crypto asym request is too large");
+        goto err;
+    }
+
     if (src_len > 0) {
         src = g_malloc0(src_len);
         len = iov_to_buf(iov, out_num, 0, src, src_len);