From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1B790C04A68 for ; Wed, 27 Jul 2022 17:21:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235930AbiG0RVk (ORCPT ); Wed, 27 Jul 2022 13:21:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241963AbiG0RTY (ORCPT ); Wed, 27 Jul 2022 13:19:24 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2BC28BF6B; Wed, 27 Jul 2022 09:44:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DCDF6B8200C; Wed, 27 Jul 2022 16:44:32 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 474CCC433D7; Wed, 27 Jul 2022 16:44:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658940271; bh=/0a/0Z9dUlo8grhA3fXLHeVFNp9BdkiWV92ue3bNBfM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1HJHjIsbk8dQkrOhC2KHGGm6VEbetw5o8IWzMgOiYoDJ/4g4dJDOW20n4DW7RyvUf ivxPB4SDlVT3plb7Gca1/d0Dvhu+eDqJ2zZZjLcqZDaXXDWQMIOZsjFQMR5TVmRUBz uW4WLkvlCkMmRDhTLSOe/Lw54c8FinYf4oeQc8do= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Giovanni Cabiddu , Adam Guerin , Wojciech Ziemba , Herbert Xu , Sasha Levin Subject: [PATCH 5.15 165/201] crypto: qat - add param check for RSA Date: Wed, 27 Jul 2022 18:11:09 +0200 Message-Id: <20220727161034.673218890@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161026.977588183@linuxfoundation.org> References: <20220727161026.977588183@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Giovanni Cabiddu [ Upstream commit 9714061423b8b24b8afb31b8eb4df977c63f19c4 ] Reject requests with a source buffer that is bigger than the size of the key. This is to prevent a possible integer underflow that might happen when copying the source scatterlist into a linear buffer. Cc: stable@vger.kernel.org Signed-off-by: Giovanni Cabiddu Reviewed-by: Adam Guerin Reviewed-by: Wojciech Ziemba Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin --- drivers/crypto/qat/qat_common/qat_asym_algs.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/crypto/qat/qat_common/qat_asym_algs.c b/drivers/crypto/qat/qat_common/qat_asym_algs.c index 25bbd22085c3..947eeff181b4 100644 --- a/drivers/crypto/qat/qat_common/qat_asym_algs.c +++ b/drivers/crypto/qat/qat_common/qat_asym_algs.c @@ -656,6 +656,10 @@ static int qat_rsa_enc(struct akcipher_request *req) req->dst_len = ctx->key_sz; return -EOVERFLOW; } + + if (req->src_len > ctx->key_sz) + return -EINVAL; + memset(msg, '\0', sizeof(*msg)); ICP_QAT_FW_PKE_HDR_VALID_FLAG_SET(msg->pke_hdr, ICP_QAT_FW_COMN_REQ_FLAG_SET); @@ -785,6 +789,10 @@ static int qat_rsa_dec(struct akcipher_request *req) req->dst_len = ctx->key_sz; return -EOVERFLOW; } + + if (req->src_len > ctx->key_sz) + return -EINVAL; + memset(msg, '\0', sizeof(*msg)); ICP_QAT_FW_PKE_HDR_VALID_FLAG_SET(msg->pke_hdr, ICP_QAT_FW_COMN_REQ_FLAG_SET); -- 2.35.1