Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3e88ed60 authored by AnilKumar Chimata's avatar AnilKumar Chimata
Browse files

crypto: msm: Fix issues related to non-zero byteoffset input 



Fix buffer overflow for a non-zero byteoffset value.

Also fixes memory leak issue by adding data_len check in check_params.
One of the scenarios data_len can be less than byteoffset which results
in memory leak with huge data length, which might cause the kernel panic.

Change-Id: I3f773673219f45dad4f17499b1ee0feda2aff1f7
Signed-off-by: default avatarAnilKumar Chimata <anilc@codeaurora.org>
parent b30e8ff0

drivers/crypto/msm/qcedev.c

+8 −1
Original line number Diff line number Diff line
@@ -1339,7 +1339,7 @@ static int qcedev_vbuf_ablk_cipher_max_xfer(struct qcedev_async_req *areq, 
				areq->cipher_op_req.vbuf.src[0].len))

		return -EFAULT;



	k_align_src += areq->cipher_op_req.vbuf.src[0].len;

	k_align_src += byteoffset + areq->cipher_op_req.vbuf.src[0].len;



	for (i = 1; i < areq->cipher_op_req.entries; i++) {

		user_src =
@@ -1701,6 +1701,13 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req, 
			goto error;

		}

	}



	if (req->data_len < req->byteoffset) {

		pr_err("%s: req data length %u is less than byteoffset %u\n",

				__func__, req->data_len, req->byteoffset);

		goto error;

	}



	/* Ensure zer ivlen for ECB  mode  */

	if (req->ivlen > 0) {

		if ((req->mode == QCEDEV_AES_MODE_ECB) ||