Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Herbert Xu <herbert@gondor.apana.org.au>
To: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Cc: linux-crypto@vger.kernel.org, qat-linux@intel.com,
	stable@vger.kernel.org, Ahsan Atta <ahsan.atta@intel.com>,
	Laurent M Coquerel <laurent.m.coquerel@intel.com>
Subject: Re: [PATCH] crypto: qat - validate RSA CRT component lengths
Date: Thu, 11 Jun 2026 16:47:11 +0800	[thread overview]
Message-ID: <aip2D_O8EprwIL4u@gondor.apana.org.au> (raw)
In-Reply-To: <20260528155854.40858-1-giovanni.cabiddu@intel.com>

On Thu, May 28, 2026 at 04:57:44PM +0100, Giovanni Cabiddu wrote:
> The generic RSA key parser (rsa_helper.c) bounds each CRT component (p,
> q, dp, dq, qinv) by the modulus size n_sz, but qat_rsa_setkey_crt()
> allocates half-size DMA buffers (key_sz / 2) and right-aligns each
> component with:
> 
>     memcpy(dst + half_key_sz - len, src, len)
> 
> When a CRT component is larger than half_key_sz the subtraction
> underflows and memcpy writes past the DMA buffer, causing memory
> corruption.
> 
> Add a len > half_key_sz check next to the existing !len check for each
> of the five CRT components so the driver falls back to the non-CRT path
> instead of writing out of bounds.
> 
> Fixes: 879f77e9071f ("crypto: qat - Add RSA CRT mode")
> Cc: stable@vger.kernel.org
> Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
> Reviewed-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
> Tested-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
> ---
>  drivers/crypto/intel/qat/qat_common/qat_asym_algs.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

      reply	other threads:[~2026-06-11  8:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-28 15:57 [PATCH] crypto: qat - validate RSA CRT component lengths Giovanni Cabiddu
2026-06-11  8:47 ` Herbert Xu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aip2D_O8EprwIL4u@gondor.apana.org.au \
    --to=herbert@gondor.apana.org.au \
    --cc=ahsan.atta@intel.com \
    --cc=giovanni.cabiddu@intel.com \
    --cc=laurent.m.coquerel@intel.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=qat-linux@intel.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox