[v2] crypto: bcm/spu2 - Add buffer size check

Message ID	20240322205915.13305-1-amishin@t-argos.ru
State	New
Headers	show Received: from mx1.t-argos.ru (mx1.t-argos.ru [109.73.34.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7B9C1E53A; Fri, 22 Mar 2024 21:01:10 +0000 (UTC) From: Aleksandr Mishin <amishin@t-argos.ru> To: Herbert Xu <herbert@gondor.apana.org.au> CC: Aleksandr Mishin <amishin@t-argos.ru>, "David S. Miller" <davem@davemloft.net>, Steve Lin <steven.lin1@broadcom.com>, Rob Rice <rob.rice@broadcom.com>, <linux-crypto@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org> Subject: [PATCH v2] crypto: bcm/spu2 - Add buffer size check Date: Fri, 22 Mar 2024 23:59:15 +0300 Message-ID: <20240322205915.13305-1-amishin@t-argos.ru> In-Reply-To: <20240306110022.21574-1-amishin@t-argos.ru> References: Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain FromAlignment: s bases: 2024/03/22 20:48:00 bases: 2024/03/22 14:30:00 #24353062
Series	[v2] crypto: bcm/spu2 - Add buffer size check \| expand [v2] crypto: bcm/spu2 - Add buffer size check

Message ID

20240322205915.13305-1-amishin@t-argos.ru

State

New

Headers

From: Aleksandr Mishin <amishin@t-argos.ru>
To: Herbert Xu <herbert@gondor.apana.org.au>
CC: Aleksandr Mishin <amishin@t-argos.ru>, "David S. Miller"
	<davem@davemloft.net>, Steve Lin <steven.lin1@broadcom.com>, Rob Rice
	<rob.rice@broadcom.com>, <linux-crypto@vger.kernel.org>,
	<linux-kernel@vger.kernel.org>, <lvc-project@linuxtesting.org>
Subject: [PATCH v2] crypto: bcm/spu2 - Add buffer size check
Date: Fri, 22 Mar 2024 23:59:15 +0300
Message-ID: <20240322205915.13305-1-amishin@t-argos.ru>
In-Reply-To: <20240306110022.21574-1-amishin@t-argos.ru>
References: 
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[v2] crypto: bcm/spu2 - Add buffer size check | expand

Commit Message

Aleksandr Mishin March 22, 2024, 8:59 p.m. UTC

In spu2_dump_omd() value of ptr is increased by ciph_key_len
instead of hash_iv_len which could lead to going beyond the
buffer boundaries.
Fix this bug by changing ciph_key_len to hash_iv_len.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
---
v2: Fix commit message according to the Linux kernel rules

 drivers/crypto/bcm/spu2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Herbert Xu March 28, 2024, 10:57 a.m. UTC | #1

On Fri, Mar 22, 2024 at 11:59:15PM +0300, Aleksandr Mishin wrote:
> In spu2_dump_omd() value of ptr is increased by ciph_key_len
> instead of hash_iv_len which could lead to going beyond the
> buffer boundaries.
> Fix this bug by changing ciph_key_len to hash_iv_len.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
> Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
> ---
> v2: Fix commit message according to the Linux kernel rules
> 
>  drivers/crypto/bcm/spu2.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Patch applied.  Thanks.

diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c
index 07989bb8c220..3fdc64b5a65e 100644
--- a/drivers/crypto/bcm/spu2.c
+++ b/drivers/crypto/bcm/spu2.c
@@ -495,7 +495,7 @@  static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,
 	if (hash_iv_len) {
 		packet_log("  Hash IV Length %u bytes\n", hash_iv_len);
 		packet_dump("  hash IV: ", ptr, hash_iv_len);
-		ptr += ciph_key_len;
+		ptr += hash_iv_len;
 	}
 
 	if (ciph_iv_len) {