[v2] crypto: qat - add limit to linked list parsing

Message ID	20220921090923.213968-1-adam.guerin@intel.com
State	Accepted
Commit	72f6e0ea2b0ecea8585f3cd4298286c85c5121e6
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Adam Guerin <adam.guerin@intel.com> To: herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org, qat-linux@intel.com, Adam Guerin <adam.guerin@intel.com>, Ciunas Bennett <ciunas.bennett@intel.com>, Giovanni Cabiddu <giovanni.cabiddu@intel.com> Subject: [PATCH v2] crypto: qat - add limit to linked list parsing Date: Wed, 21 Sep 2022 10:09:24 +0100 Message-Id: <20220921090923.213968-1-adam.guerin@intel.com> MIME-Version: 1.0 Organisation: Intel Research and Development Ireland Ltd - Co. Reg. #308263 - Collinstown Industrial Park, Leixlip, County Kildare, Ireland Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v2] crypto: qat - add limit to linked list parsing \| expand [v2] crypto: qat - add limit to linked list parsing

Message ID

20220921090923.213968-1-adam.guerin@intel.com

State

Accepted

Commit

72f6e0ea2b0ecea8585f3cd4298286c85c5121e6

Headers

From: Adam Guerin <adam.guerin@intel.com>
To: herbert@gondor.apana.org.au
Cc: linux-crypto@vger.kernel.org, qat-linux@intel.com,
        Adam Guerin <adam.guerin@intel.com>,
        Ciunas Bennett <ciunas.bennett@intel.com>,
        Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Subject: [PATCH v2] crypto: qat - add limit to linked list parsing
Date: Wed, 21 Sep 2022 10:09:24 +0100
Message-Id: <20220921090923.213968-1-adam.guerin@intel.com>
MIME-Version: 1.0
Organisation: Intel Research and Development Ireland Ltd - Co. Reg. #308263 -
 Collinstown Industrial Park, Leixlip, County Kildare, Ireland
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v2] crypto: qat - add limit to linked list parsing | expand

Commit Message

Adam Guerin Sept. 21, 2022, 9:09 a.m. UTC

adf_copy_key_value_data() copies data from userland to kernel, based on
a linked link provided by userland. If userland provides a circular
list (or just a very long one) then it would drive a long loop where
allocation occurs in every loop. This could lead to low memory conditions.
Adding a limit to stop endless loop.

Signed-off-by: Adam Guerin <adam.guerin@intel.com>
Co-developed-by: Ciunas Bennett <ciunas.bennett@intel.com>
Signed-off-by: Ciunas Bennett <ciunas.bennett@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
---
v2: improved patch based off feedback from ML
drivers/crypto/qat/qat_common/adf_ctl_drv.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)


base-commit: 8aee6d5494bfb2e535307eb3e80e38cc5cc1c7a6

Comments

Giovanni Cabiddu Sept. 21, 2022, 9:38 a.m. UTC | #1

Hi Herbert,

This patch was accidentally sent starting from V2. Adam is going to
resend.

Regards,

Herbert Xu Sept. 30, 2022, 6:15 a.m. UTC | #2

On Wed, Sep 21, 2022 at 10:09:24AM +0100, Adam Guerin wrote:
> adf_copy_key_value_data() copies data from userland to kernel, based on
> a linked link provided by userland. If userland provides a circular
> list (or just a very long one) then it would drive a long loop where
> allocation occurs in every loop. This could lead to low memory conditions.
> Adding a limit to stop endless loop.
> 
> Signed-off-by: Adam Guerin <adam.guerin@intel.com>
> Co-developed-by: Ciunas Bennett <ciunas.bennett@intel.com>
> Signed-off-by: Ciunas Bennett <ciunas.bennett@intel.com>
> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> ---
> v2: improved patch based off feedback from ML
> drivers/crypto/qat/qat_common/adf_ctl_drv.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Patch applied.  Thanks.

diff --git a/drivers/crypto/qat/qat_common/adf_ctl_drv.c b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
index 508c18edd692..82b69e1f725b 100644
--- a/drivers/crypto/qat/qat_common/adf_ctl_drv.c
+++ b/drivers/crypto/qat/qat_common/adf_ctl_drv.c
@@ -16,6 +16,9 @@ 
 #include "adf_cfg_common.h"
 #include "adf_cfg_user.h"
 
+#define ADF_CFG_MAX_SECTION 512
+#define ADF_CFG_MAX_KEY_VAL 256
+
 #define DEVICE_NAME "qat_adf_ctl"
 
 static DEFINE_MUTEX(adf_ctl_lock);
@@ -137,10 +140,11 @@  static int adf_copy_key_value_data(struct adf_accel_dev *accel_dev,
 	struct adf_user_cfg_key_val key_val;
 	struct adf_user_cfg_key_val *params_head;
 	struct adf_user_cfg_section section, *section_head;
+	int i, j;
 
 	section_head = ctl_data->config_section;
 
-	while (section_head) {
+	for (i = 0; section_head && i < ADF_CFG_MAX_SECTION; i++) {
 		if (copy_from_user(&section, (void __user *)section_head,
 				   sizeof(*section_head))) {
 			dev_err(&GET_DEV(accel_dev),
@@ -156,7 +160,7 @@  static int adf_copy_key_value_data(struct adf_accel_dev *accel_dev,
 
 		params_head = section.params;
 
-		while (params_head) {
+		for (j = 0; params_head && j < ADF_CFG_MAX_KEY_VAL; j++) {
 			if (copy_from_user(&key_val, (void __user *)params_head,
 					   sizeof(key_val))) {
 				dev_err(&GET_DEV(accel_dev),