Patch "crypto: cavium - prevent integer overflow loading firmware" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 23:38:46 -0400

This is a note to let you know that I've just added the patch titled

    crypto: cavium - prevent integer overflow loading firmware

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     crypto-cavium-prevent-integer-overflow-loading-firmw.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 16d35d51a753eb2ec15e0d860e5fa2d912b5ac12
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Mon Sep 19 09:43:27 2022 +0300

    crypto: cavium - prevent integer overflow loading firmware
    
    [ Upstream commit 2526d6bf27d15054bb0778b2f7bc6625fd934905 ]
    
    The "code_length" value comes from the firmware file.  If your firmware
    is untrusted realistically there is probably very little you can do to
    protect yourself.  Still we try to limit the damage as much as possible.
    Also Smatch marks any data read from the filesystem as untrusted and
    prints warnings if it not capped correctly.
    
    The "ntohl(ucode->code_length) * 2" multiplication can have an
    integer overflow.
    
    Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
index 781949027451..d9362199423f 100644
--- a/drivers/crypto/cavium/cpt/cptpf_main.c
+++ b/drivers/crypto/cavium/cpt/cptpf_main.c
@@ -254,6 +254,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
 	const struct firmware *fw_entry;
 	struct device *dev = &cpt->pdev->dev;
 	struct ucode_header *ucode;
+	unsigned int code_length;
 	struct microcode *mcode;
 	int j, ret = 0;
 
@@ -264,11 +265,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
 	ucode = (struct ucode_header *)fw_entry->data;
 	mcode = &cpt->mcode[cpt->next_mc_idx];
 	memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
-	mcode->code_size = ntohl(ucode->code_length) * 2;
-	if (!mcode->code_size) {
+	code_length = ntohl(ucode->code_length);
+	if (code_length == 0 || code_length >= INT_MAX / 2) {
 		ret = -EINVAL;
 		goto fw_release;
 	}
+	mcode->code_size = code_length * 2;
 
 	mcode->is_ae = is_ae;
 	mcode->core_mask = 0ULL;






