From: "Horia Geantă" <horia.geanta@nxp.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>,
Dan Douglass <dan.douglass@nxp.com>,
Tudor Ambarus <tudor-dan.ambarus@nxp.com>,
"Cristian Stoica" <cristian.stoica@nxp.com>,
<linux-crypto@vger.kernel.org>
Subject: [PATCH 05/12] crypto: caam - check sg_count() return value
Date: Fri, 10 Feb 2017 14:07:18 +0200 [thread overview]
Message-ID: <1486728445-13047-6-git-send-email-horia.geanta@nxp.com> (raw)
In-Reply-To: <1486728445-13047-1-git-send-email-horia.geanta@nxp.com>
sg_count() internally calls sg_nents_for_len(), which could fail
in case the required number of bytes is larger than the total
bytes in the S/G.
Thus, add checks to validate the input.
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
---
drivers/crypto/caam/caamalg.c | 44 +++++++++++++++++++++++++++++++++++++++++--
1 file changed, 42 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index 05d4690351b9..ed8a04412767 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -1335,13 +1335,31 @@ static struct aead_edesc *aead_edesc_alloc(struct aead_request *req,
if (unlikely(req->dst != req->src)) {
src_nents = sg_count(req->src, req->assoclen + req->cryptlen);
+ if (unlikely(src_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in src S/G\n",
+ req->assoclen + req->cryptlen);
+ return ERR_PTR(src_nents);
+ }
+
dst_nents = sg_count(req->dst,
req->assoclen + req->cryptlen +
(encrypt ? authsize : (-authsize)));
+ if (unlikely(dst_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in dst S/G\n",
+ req->assoclen + req->cryptlen +
+ (encrypt ? authsize : (-authsize)));
+ return ERR_PTR(dst_nents);
+ }
} else {
src_nents = sg_count(req->src,
req->assoclen + req->cryptlen +
(encrypt ? authsize : 0));
+ if (unlikely(src_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in src S/G\n",
+ req->assoclen + req->cryptlen +
+ (encrypt ? authsize : 0));
+ return ERR_PTR(src_nents);
+ }
}
/* Check if data are contiguous. */
@@ -1609,9 +1627,20 @@ static struct ablkcipher_edesc *ablkcipher_edesc_alloc(struct ablkcipher_request
int sec4_sg_index;
src_nents = sg_count(req->src, req->nbytes);
+ if (unlikely(src_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in src S/G\n",
+ req->nbytes);
+ return ERR_PTR(src_nents);
+ }
- if (req->dst != req->src)
+ if (req->dst != req->src) {
dst_nents = sg_count(req->dst, req->nbytes);
+ if (unlikely(dst_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in dst S/G\n",
+ req->nbytes);
+ return ERR_PTR(dst_nents);
+ }
+ }
if (likely(req->src == req->dst)) {
sgc = dma_map_sg(jrdev, req->src, src_nents ? : 1,
@@ -1807,6 +1836,11 @@ static struct ablkcipher_edesc *ablkcipher_giv_edesc_alloc(
int sec4_sg_index;
src_nents = sg_count(req->src, req->nbytes);
+ if (unlikely(src_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in src S/G\n",
+ req->nbytes);
+ return ERR_PTR(src_nents);
+ }
if (likely(req->src == req->dst)) {
sgc = dma_map_sg(jrdev, req->src, src_nents ? : 1,
@@ -1826,6 +1860,12 @@ static struct ablkcipher_edesc *ablkcipher_giv_edesc_alloc(
}
dst_nents = sg_count(req->dst, req->nbytes);
+ if (unlikely(dst_nents < 0)) {
+ dev_err(jrdev, "Insufficient bytes (%d) in dst S/G\n",
+ req->nbytes);
+ return ERR_PTR(dst_nents);
+ }
+
sgc = dma_map_sg(jrdev, req->dst, dst_nents ? : 1,
DMA_FROM_DEVICE);
if (unlikely(!sgc)) {
@@ -1914,7 +1954,7 @@ static int ablkcipher_givencrypt(struct skcipher_givcrypt_request *creq)
struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req);
struct caam_ctx *ctx = crypto_ablkcipher_ctx(ablkcipher);
struct device *jrdev = ctx->jrdev;
- bool iv_contig;
+ bool iv_contig = false;
u32 *desc;
int ret = 0;
--
2.4.4
next prev parent reply other threads:[~2017-02-10 12:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-10 12:07 [PATCH 00/12] crypto: caam - fixes Horia Geantă
2017-02-10 12:07 ` [PATCH 01/12] crypto: caam - don't include unneeded headers Horia Geantă
2017-02-10 12:07 ` [PATCH 02/12] crypto: caam - check return code of dma_set_mask_and_coherent() Horia Geantă
2017-02-10 12:07 ` [PATCH 03/12] crypto: caam - fix JR IO mapping if one fails Horia Geantă
2017-02-10 12:07 ` [PATCH 04/12] crypto: caam - fix HW S/G in ablkcipher_giv_edesc_alloc() Horia Geantă
2017-02-10 12:07 ` Horia Geantă [this message]
2017-02-10 12:07 ` [PATCH 06/12] crypto: caam - replace sg_count() with sg_nents_for_len() Horia Geantă
2017-02-10 12:07 ` [PATCH 07/12] crypto: caam - use dma_map_sg() return code Horia Geantă
2017-02-10 12:07 ` [PATCH 08/12] crypto: caam - don't dma_map key for hash algorithms Horia Geantă
2017-02-10 12:07 ` [PATCH 09/12] crypto: caam - fix DMA API leaks for multiple setkey() calls Horia Geantă
2017-02-10 12:07 ` [PATCH 10/12] crypto: caam - fix error path for ctx_dma mapping failure Horia Geantă
2017-02-10 12:07 ` [PATCH 11/12] crypto: caam - abstract ahash request double buffering Horia Geantă
2017-02-10 12:07 ` [PATCH 12/12] crypto: caam - fix state buffer DMA (un)mapping Horia Geantă
2017-02-15 5:33 ` [PATCH 00/12] crypto: caam - fixes Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1486728445-13047-6-git-send-email-horia.geanta@nxp.com \
--to=horia.geanta@nxp.com \
--cc=cristian.stoica@nxp.com \
--cc=dan.douglass@nxp.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=tudor-dan.ambarus@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox