Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29ba268e authored by Zhen Kong's avatar Zhen Kong
Browse files

crypto: msm: check integer overflow on total data len in qcedev.c 



qcedev_vbuf_ablk_cipher will calculate total data length. It starts
with the value of "areq->cipher_op_req.byteoffset", which is controlled
by the user. Make change to check if this total data length has integer
overflow issue in qcedev_check_cipher_params.

Change-Id: Ice42dca6d47eb8febfe8a34e566c69e4799fab57
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent 0a8e939a

drivers/crypto/msm/qcedev.c

+11 −2
Original line number Diff line number Diff line 
/* Qualcomm CE device driver.

 *

 * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.

 * Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -1445,6 +1445,15 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req, 
			pr_err("%s: Invalid byte offset\n", __func__);

			goto error;

		}

		total = req->byteoffset;

		for (i = 0; i < req->entries; i++) {

			if (total > U32_MAX - req->vbuf.src[i].len) {

				pr_err("%s:Integer overflow on total src len\n",

					__func__);

				goto error;

			}

			total += req->vbuf.src[i].len;

		}

	}



	if (req->data_len < req->byteoffset) {
@@ -1480,7 +1489,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req, 
		}

	}

	/* Check for sum of all dst length is equal to data_len  */

	for (i = 0; i < req->entries; i++) {

	for (i = 0, total = 0; i < req->entries; i++) {

		if (req->vbuf.dst[i].len >= U32_MAX - total) {

			pr_err("%s: Integer overflow on total req dst vbuf length\n",

				__func__);