crypto: msm: check invalid src and dst vbuf in qcedev.c
src and dst vbuf address and length are provided from userspace, and they are invalid if vbuf address is NULL but length is not zero. Add additional checks in qcedev_check_cipher_params to prevent it. Change-Id: Iadc1a0c1c5b2f7a56acd03a23c08e45b5a671b19 Signed-off-by: Zhen Kong <zkong@codeaurora.org>
This commit is contained in:
parent
132ee2333a
commit
2fa3c21819
|
@ -1518,6 +1518,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
|
|||
}
|
||||
/* Check for sum of all dst length is equal to data_len */
|
||||
for (i = 0, total = 0; i < req->entries; i++) {
|
||||
if (!req->vbuf.dst[i].vaddr && req->vbuf.dst[i].len) {
|
||||
pr_err("%s: NULL req dst vbuf[%d] with length %d\n",
|
||||
__func__, i, req->vbuf.dst[i].len);
|
||||
goto error;
|
||||
}
|
||||
if (req->vbuf.dst[i].len >= U32_MAX - total) {
|
||||
pr_err("%s: Integer overflow on total req dst vbuf length\n",
|
||||
__func__);
|
||||
|
@ -1532,6 +1537,11 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
|
|||
}
|
||||
/* Check for sum of all src length is equal to data_len */
|
||||
for (i = 0, total = 0; i < req->entries; i++) {
|
||||
if (!req->vbuf.src[i].vaddr && req->vbuf.src[i].len) {
|
||||
pr_err("%s: NULL req src vbuf[%d] with length %d\n",
|
||||
__func__, i, req->vbuf.src[i].len);
|
||||
goto error;
|
||||
}
|
||||
if (req->vbuf.src[i].len > U32_MAX - total) {
|
||||
pr_err("%s: Integer overflow on total req src vbuf length\n",
|
||||
__func__);
|
||||
|
|
Loading…
Reference in New Issue