From c9f4b0f0ca8a1e35af685c36560083367cfdf8f3 Mon Sep 17 00:00:00 2001 From: Tanwee Kausar Date: Mon, 10 Aug 2020 16:10:50 -0700 Subject: [PATCH 1/2] crypto: Fix possible stack out of bound error Adding fix to check the upper limit on the length of the destination array while copying elements from source address to avoid stack out of bound error. Change-Id: Ieb24e8f9b4a2b53fbc9442b25d790b12f737d471 Signed-off-by: Tanwee Kausar --- drivers/crypto/msm/qce50.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c index 9378eb7e3cac..4dffe02f4b89 100644 --- a/drivers/crypto/msm/qce50.c +++ b/drivers/crypto/msm/qce50.c @@ -781,6 +781,11 @@ static int _ce_setup_cipher(struct qce_device *pce_dev, struct qce_req *creq, switch (creq->alg) { case CIPHER_ALG_DES: if (creq->mode != QCE_MODE_ECB) { + if (ivsize > MAX_IV_LENGTH) { + pr_err("%s: error: Invalid length parameter\n", + __func__); + return -EINVAL; + } _byte_stream_to_net_words(enciv32, creq->iv, ivsize); pce = cmdlistinfo->encr_cntr_iv; pce->data = enciv32[0]; From c5366f4da3ef4a0717cee3b9cad97ff3297d2e44 Mon Sep 17 00:00:00 2001 From: Tanwee Kausar Date: Tue, 13 Oct 2020 17:17:17 -0700 Subject: [PATCH 2/2] crypto: Fix possible stack out of bound error Adding fix to check the upper limit on the length of the destination array while copying elements from source address to avoid stack out of bound error. Change-Id: I783f8ab3eb5a94cf503f831df8325c214ca710e4 Signed-off-by: Tanwee Kausar --- drivers/crypto/msm/qce.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/msm/qce.c b/drivers/crypto/msm/qce.c index 3c657c8becde..c7e375d04271 100644 --- a/drivers/crypto/msm/qce.c +++ b/drivers/crypto/msm/qce.c @@ -1,6 +1,6 @@ /* Qualcomm Crypto Engine driver. * - * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved. + * Copyright (c) 2010-2016, 2020 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -768,6 +768,11 @@ static int _ce_setup(struct qce_device *pce_dev, struct qce_req *q_req, switch (q_req->alg) { case CIPHER_ALG_DES: if (q_req->mode != QCE_MODE_ECB) { + if (ivsize > MAX_IV_LENGTH) { + pr_err("%s: error: Invalid length parameter\n", + __func__); + return -EINVAL; + } _byte_stream_to_net_words(enciv32, q_req->iv, ivsize); writel_relaxed(enciv32[0], pce_dev->iobase + CRYPTO_CNTR0_IV0_REG);