Skip to content

Commit

Permalink
msm: crypto: Fix integer over flow check in qcedev driver
Browse files Browse the repository at this point in the history 
Integer overflow check always fails when ULONG_MAX is used,
as ULONG_MAX is 2^64-1, while req->data[i].len and total
are uint32_t. Make change to use U32_MAX instead of
ULONG_MAX.

CRs-fixed: 1046507
Change-Id: Iccf9c32400ecc7ffc0afae16f58c38e5d78a5b64
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Ticket: OPO-815
  • Loading branch information
@andi34
Zhen Kong authored and andi34 committed Mar 21, 2017
1 parent 442a775 commit cb6d9a5
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions drivers/crypto/msm/qcedev.c
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
/* Qualcomm CE device driver.
*
* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
Expand Down Expand Up @@ -39,6 +39,7 @@

#define CACHE_LINE_SIZE 32
#define CE_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE
#define U32_MAX (~(__u32)0)

/* are FIPS integrity tests done ?? */
bool is_fips_qcedev_integritytest_done;
Expand Down Expand Up @@ -1646,7 +1647,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all dst length is equal to data_len */
for (i = 0; i < req->entries; i++) {
if (req->vbuf.dst[i].len >= ULONG_MAX - total) {
if (req->vbuf.dst[i].len >= U32_MAX - total) {
pr_err("%s: Integer overflow on total req dst vbuf length\n",
__func__);
goto error;
Expand All @@ -1660,7 +1661,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
}
/* Check for sum of all src length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
if (req->vbuf.src[i].len > ULONG_MAX - total) {
if (req->vbuf.src[i].len > U32_MAX - total) {
pr_err("%s: Integer overflow on total req src vbuf length\n",
__func__);
goto error;
Expand Down Expand Up @@ -1722,7 +1723,7 @@ static int qcedev_check_sha_params(struct qcedev_sha_op_req *req,

/* Check for sum of all src length is equal to data_len */
for (i = 0, total = 0; i < req->entries; i++) {
if (req->data[i].len > ULONG_MAX - total) {
if (req->data[i].len > U32_MAX - total) {
pr_err("%s: Integer overflow on total req buf length\n",
__func__);
goto sha_error;
Expand Down

0 comments on commit cb6d9a5

Please sign in to comment.