Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

crypto: msm: check invalid src and dst vbuf in qcedev.c 

src and dst vbuf address and length are provided from userspace,
and they are invalid if vbuf address is NULL but length is not zero.
Add additional checks in qcedev_check_cipher_params to prevent it.

Change-Id: Iadc1a0c1c5b2f7a56acd03a23c08e45b5a671b19
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
This commit is contained in:
Zhen Kong 2017-02-21 11:35:37 -08:00 committed by Gerrit - the friendly Code Review server
parent 132ee2333a
commit 2fa3c21819
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
drivers/crypto/msm/qcedev.c
View File

@ -1518,6 +1518,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all dst length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
if (!req->vbuf.dst[i].vaddr && req->vbuf.dst[i].len) {
pr_err("%s: NULL req dst vbuf[%d] with length %d\n",
__func__, i, req->vbuf.dst[i].len);
goto error;
}
if (req->vbuf.dst[i].len >= U32_MAX - total) {
pr_err("%s: Integer overflow on total req dst vbuf length\n",
__func__);
@ -1532,6 +1537,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all src length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
if (!req->vbuf.src[i].vaddr && req->vbuf.src[i].len) {
pr_err("%s: NULL req src vbuf[%d] with length %d\n",
__func__, i, req->vbuf.src[i].len);
goto error;
}
if (req->vbuf.src[i].len > U32_MAX - total) {
pr_err("%s: Integer overflow on total req src vbuf length\n",
__func__);