src_size and aad_size are defined as u32, so the following expressions are currently being evaluated using 32-bit arithmetic: bit_len = src_size * 8; ... bit_len = aad_size * 8; However, bit_len is used afterwards in a context that expects a valid 64-bit value (the lower and upper 32-bit words of bit_len are extracted and written to hw). In order to make sure the correct bit length is generated and the 32-bit multiplication does not wrap around, cast src_size and aad_size to u64. Signed-off-by: Ovidiu Panait <ovidiu.panait@xxxxxxxxxxxxx> --- drivers/crypto/keembay/ocs-aes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/keembay/ocs-aes.c b/drivers/crypto/keembay/ocs-aes.c index cc286adb1c4a..b85c89477afa 100644 --- a/drivers/crypto/keembay/ocs-aes.c +++ b/drivers/crypto/keembay/ocs-aes.c @@ -958,14 +958,14 @@ int ocs_aes_gcm_op(struct ocs_aes_dev *aes_dev, ocs_aes_write_last_data_blk_len(aes_dev, src_size); /* Write ciphertext bit length */ - bit_len = src_size * 8; + bit_len = (u64)src_size * 8; val = bit_len & 0xFFFFFFFF; iowrite32(val, aes_dev->base_reg + AES_MULTIPURPOSE2_0_OFFSET); val = bit_len >> 32; iowrite32(val, aes_dev->base_reg + AES_MULTIPURPOSE2_1_OFFSET); /* Write aad bit length */ - bit_len = aad_size * 8; + bit_len = (u64)aad_size * 8; val = bit_len & 0xFFFFFFFF; iowrite32(val, aes_dev->base_reg + AES_MULTIPURPOSE2_2_OFFSET); val = bit_len >> 32; -- 2.17.1
