Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ac8bbe8c authored by Zhen Kong's avatar Zhen Kong Committed by Gerrit - the friendly Code Review server
Browse files

crypto: msm: check invalid src and dst vbuf in qcedev.c 



src and dst vbuf address and length are provided from userspace,
and they are invalid if vbuf address is NULL but length is not zero.
Add additional checks in qcedev_check_cipher_params to prevent it.

Change-Id: Iadc1a0c1c5b2f7a56acd03a23c08e45b5a671b19
Signed-off-by: default avatarZhen Kong <zkong@codeaurora.org>
parent f90af475

drivers/crypto/msm/qcedev.c

+10 −0
Original line number Diff line number Diff line
@@ -1490,6 +1490,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req, 
	}

	/* Check for sum of all dst length is equal to data_len  */

	for (i = 0, total = 0; i < req->entries; i++) {

		if (!req->vbuf.dst[i].vaddr && req->vbuf.dst[i].len) {

			pr_err("%s: NULL req dst vbuf[%d] with length %d\n",

				__func__, i, req->vbuf.dst[i].len);

			goto error;

		}

		if (req->vbuf.dst[i].len >= U32_MAX - total) {

			pr_err("%s: Integer overflow on total req dst vbuf length\n",

				__func__);
@@ -1504,6 +1509,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req, 
	}

	/* Check for sum of all src length is equal to data_len  */

	for (i = 0, total = 0; i < req->entries; i++) {

		if (!req->vbuf.src[i].vaddr && req->vbuf.src[i].len) {

			pr_err("%s: NULL req src vbuf[%d] with length %d\n",

				__func__, i, req->vbuf.src[i].len);

			goto error;

		}

		if (req->vbuf.src[i].len > U32_MAX - total) {

			pr_err("%s: Integer overflow on total req src vbuf length\n",

				__func__);