mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-04 12:20:49 -05:00
49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
|
From 2b09507d78b25637df6879cd2ee2031b208b3532 Mon Sep 17 00:00:00 2001
|
||
|
From: Zhen Kong <zkong@codeaurora.org>
|
||
|
Date: Thu, 19 Jan 2017 14:59:44 -0800
|
||
|
Subject: crypto: msm: check integer overflow on total data len in qcedev.c
|
||
|
|
||
|
qcedev_vbuf_ablk_cipher will calculate total data length. It starts
|
||
|
with the value of "areq->cipher_op_req.byteoffset", which is controlled
|
||
|
by the user. Make change to check if this total data length has integer
|
||
|
overflow issue in qcedev_check_cipher_params.
|
||
|
|
||
|
Change-Id: Ice42dca6d47eb8febfe8a34e566c69e4799fab57
|
||
|
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
|
||
|
---
|
||
|
drivers/crypto/msm/qcedev.c | 11 ++++++++++-
|
||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
|
||
|
index 9ab03209b..a629c62 100644
|
||
|
--- a/drivers/crypto/msm/qcedev.c
|
||
|
+++ b/drivers/crypto/msm/qcedev.c
|
||
|
@@ -1445,6 +1445,15 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
|
||
|
pr_err("%s: Invalid byte offset\n", __func__);
|
||
|
goto error;
|
||
|
}
|
||
|
+ total = req->byteoffset;
|
||
|
+ for (i = 0; i < req->entries; i++) {
|
||
|
+ if (total > U32_MAX - req->vbuf.src[i].len) {
|
||
|
+ pr_err("%s:Integer overflow on total src len\n",
|
||
|
+ __func__);
|
||
|
+ goto error;
|
||
|
+ }
|
||
|
+ total += req->vbuf.src[i].len;
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
if (req->data_len < req->byteoffset) {
|
||
|
@@ -1480,7 +1489,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
|
||
|
}
|
||
|
}
|
||
|
/* Check for sum of all dst length is equal to data_len */
|
||
|
- for (i = 0; i < req->entries; i++) {
|
||
|
+ for (i = 0, total = 0; i < req->entries; i++) {
|
||
|
if (req->vbuf.dst[i].len >= U32_MAX - total) {
|
||
|
pr_err("%s: Integer overflow on total req dst vbuf length\n",
|
||
|
__func__);
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|