From: Dan Carpenter <dan.carpenter@oracle.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: George Cherian <gcherian@marvell.com>,
"David S. Miller" <davem@davemloft.net>,
David Daney <david.daney@cavium.com>,
linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] crypto: cavium - prevent integer overflow loading firmware
Date: Thu, 15 Sep 2022 16:49:57 +0300 [thread overview]
Message-ID: <YyMthStaEzAStvS1@kadam> (raw)
In-Reply-To: <Yxm5HrtXBiz6gKtv@gondor.apana.org.au>
On Thu, Sep 08, 2022 at 05:42:54PM +0800, Herbert Xu wrote:
> On Thu, Sep 01, 2022 at 06:32:53PM +0300, Dan Carpenter wrote:
> >
> > @@ -263,7 +264,13 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
> > ucode = (struct ucode_header *)fw_entry->data;
> > mcode = &cpt->mcode[cpt->next_mc_idx];
> > memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
> > - mcode->code_size = ntohl(ucode->code_length) * 2;
> > +
> > + code_length = ntohl(ucode->code_length);
> > + if (code_length >= INT_MAX / 2) {
> > + ret = -EINVAL;
> > + goto fw_release;
> > + }
> > + mcode->code_size = code_length;
>
> Where did the "* 2" go?
Crud. :/ Sorry.
>
> BTW, what is the threat model here? If the firmware metadata can't
> be trusted, shouldn't we be capping the firmware size at a level
> a lot lower than INT_MAX?
This is not firmware metadata, I'm fairly sure the fw_entry->data is raw
data from the file system. Realistically, if you can't trust your
firmware then you are probably toasted but there is a move to trust as
little as possible. Also Smatch marks data from the file system as
untrusted so it will generate static checker warnings.
regards,
dan carpenter
prev parent reply other threads:[~2022-09-15 13:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-01 15:32 [PATCH] crypto: cavium - prevent integer overflow loading firmware Dan Carpenter
2022-09-08 9:42 ` Herbert Xu
2022-09-15 13:49 ` Dan Carpenter [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YyMthStaEzAStvS1@kadam \
--to=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=david.daney@cavium.com \
--cc=gcherian@marvell.com \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).