DivestOS/Patches/Linux_CVEs/CVE-2016-3935/0.patch

60 lines
2.3 KiB
Diff
Raw Normal View History

From 5f69ccf3b011c1d14a1b1b00dbaacf74307c9132 Mon Sep 17 00:00:00 2001
From: Zhen Kong <zkong@codeaurora.org>
Date: Fri, 29 Jul 2016 15:32:31 -0700
Subject: msm: crypto: Fix integer over flow check in qcedev driver
Integer overflow check always fails when ULONG_MAX is used,
as ULONG_MAX is 2^64-1, while req->data[i].len and total
are uint32_t. Make change to use U32_MAX instead of
ULONG_MAX.
CRs-fixed: 1046507
Change-Id: Iccf9c32400ecc7ffc0afae16f58c38e5d78a5b64
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
---
drivers/crypto/msm/qcedev.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index 51f5069..e63f061 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1,6 +1,6 @@
/* Qualcomm CE device driver.
*
- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1543,7 +1543,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all dst length is equal to data_len */
for (i = 0; i < req->entries; i++) {
- if (req->vbuf.dst[i].len >= ULONG_MAX - total) {
+ if (req->vbuf.dst[i].len >= U32_MAX - total) {
pr_err("%s: Integer overflow on total req dst vbuf length\n",
__func__);
goto error;
@@ -1557,7 +1557,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all src length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
- if (req->vbuf.src[i].len > ULONG_MAX - total) {
+ if (req->vbuf.src[i].len > U32_MAX - total) {
pr_err("%s: Integer overflow on total req src vbuf length\n",
__func__);
goto error;
@@ -1619,7 +1619,7 @@ static int qcedev_check_sha_params(struct qcedev_sha_op_req *req,
/* Check for sum of all src length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
- if (req->data[i].len > ULONG_MAX - total) {
+ if (req->data[i].len > U32_MAX - total) {
pr_err("%s: Integer overflow on total req buf length\n",
__func__);
goto sha_error;
--
cgit v1.1