Re: [PATCH] crypto: marvell/octeontx - prevent integer overflows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 01, 2022 at 06:32:09PM +0300, Dan Carpenter wrote:
>
> @@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev,
>  	if (get_ucode_type(ucode_hdr, &ucode_type))
>  		return 0;
>  
> -	ucode_size = ntohl(ucode_hdr->code_length) * 2;
> +	code_length = ntohl(ucode_hdr->code_length);
> +	if (code_length >= INT_MAX / 2) {
> +		dev_err(dev, "Invalid code_length %u\n", code_length);
> +		return -EINVAL;
> +	}
> +
> +	ucode_size = code_length * 2;
>  	if (!ucode_size || (size < round_up(ucode_size, 16) +
>  	    sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
>  		dev_err(dev, "Ucode %s invalid size\n", filename);

How come you didn't add a "ucode_size > size" check like you did
below?

> @@ -896,9 +904,16 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode,
>  	ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data;
>  	memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ);
>  	ucode->ver_num = ucode_hdr->ver_num;
> -	ucode->size = ntohl(ucode_hdr->code_length) * 2;
> -	if (!ucode->size || (fw->size < round_up(ucode->size, 16)
> -	    + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
> +	code_length = ntohl(ucode_hdr->code_length);
> +	if (code_length >= INT_MAX / 2) {
> +		ret = -EINVAL;
> +		goto release_fw;
> +	}
> +	ucode->size = code_length * 2;
> +	if (!ucode->size ||
> +	    ucode->size > fw->size ||
> +	    (fw->size < round_up(ucode->size, 16) +
> +	     sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) {
>  		dev_err(dev, "Ucode %s invalid size\n", ucode_filename);
>  		ret = -EINVAL;
>  		goto release_fw;
> -- 
> 2.35.1

Thanks,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux