Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp3888905rwi; Sat, 22 Oct 2022 01:36:57 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4KMcaaDMQjfL0LYSbfZUTj+OKIAmLaZCJtxU7a6gcJCiEOwf3dFfeNxgSPDEZ5OtmHbZLS X-Received: by 2002:a17:902:ba8f:b0:17f:9b1b:6634 with SMTP id k15-20020a170902ba8f00b0017f9b1b6634mr23442319pls.171.1666427817108; Sat, 22 Oct 2022 01:36:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666427817; cv=none; d=google.com; s=arc-20160816; b=Ty59ZnP8T8477mdNgbiDNemMON0JhsuI56AUqeFkXHVHochXD29sJicYQ5fYVJxp5R 4ktkh3zLqScAmDL9WQyMPkqJkYaOSatNk/af6f+W7ktrM/0uIU8KHTAcEkT9d1O/dRoU eCZzO9OQcjfMtl0pnirfdG0UNHyyLZUjJteoE3Wm3ZXnKGoZ1TdkR/+Y/03V8TXkZd1H QTBm57sPijFpJ5yk/fR8rdJwo5htUVGR65s4XwE7wrwFnKyX5OxnyQvzBcAQ304It3fi nIp+n9M3JCRM6W9sne0S9/LnnrjFJBbT2A+8iaRA2XnEQ02M8jEugrQTAN/N8LGbnSP2 POSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VJ+Rg+1xcgXv+IYAaiAFf0JVtaFhhpPuyaFYntOWOtM=; b=vsSNkWoO5TwogM+UL76MdVhueeTFCbs5mDXniAncBOPl8ch8fqCECA+szVW92p4vYR tkx5dcHugV+srS4FQXePrflm2JW314YGEdzTeagpvG/rGGSZAMQTyFd1jYcJeL1Sixpw I4OBC38FVe2esCo5PFHnD+Gjdn+/GgUEgkz+wYBNftxbtYNBuepxK+wvgQqQH+DZVoF1 N5x+rnuPr1G0FrsNOfkvNJEjwfvYe/enAirj9NWbp3g3mDg4WKk1fECfklbv9yA4ZFJQ Gyye0RE/9HelK/A/GvyxCGobE6SN/ZMSP3UCexzFKRoY4vOCuINgWWmdPMOrEddAHQdv 8lag== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ddMV/Bov"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p41-20020a056a000a2900b0052acaf4a3c0si33157732pfh.17.2022.10.22.01.36.43; Sat, 22 Oct 2022 01:36:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="ddMV/Bov"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230102AbiJVI2T (ORCPT + 99 others); Sat, 22 Oct 2022 04:28:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48968 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233836AbiJVI1b (ORCPT ); Sat, 22 Oct 2022 04:27:31 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6296427023D; Sat, 22 Oct 2022 01:01:04 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B9ADDB82E2A; Sat, 22 Oct 2022 07:58:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1C7F4C433C1; Sat, 22 Oct 2022 07:58:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666425527; bh=tzkFWHdBR1QJkTnAVZrUmtw9WJSWAiTSqmAiaamAgSg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ddMV/BovTGhdoQinWWwmBvnwoa2zd5x+Bd0gd3vHUpugV3zweKmXvEtlqTgvCuhZ0 UsGU+aMCKkwWZkzIM5579U97dOTzZeVCjTufnkfKnEdy7J7Y/cC54WL4PrWAKP7ntm ZtnJ77Q5OXXnLn6AxbEAI3hOPrHtRgH7CJyCZ42I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Herbert Xu , Sasha Levin Subject: [PATCH 5.19 531/717] crypto: marvell/octeontx - prevent integer overflows Date: Sat, 22 Oct 2022 09:26:50 +0200 Message-Id: <20221022072521.812435246@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter [ Upstream commit caca37cf6c749ff0303f68418cfe7b757a4e0697 ] The "code_length" value comes from the firmware file. If your firmware is untrusted realistically there is probably very little you can do to protect yourself. Still we try to limit the damage as much as possible. Also Smatch marks any data read from the filesystem as untrusted and prints warnings if it not capped correctly. The "code_length * 2" can overflow. The round_up(ucode_size, 16) + sizeof() expression can overflow too. Prevent these overflows. Fixes: d9110b0b01ff ("crypto: marvell - add support for OCTEON TX CPT engine") Signed-off-by: Dan Carpenter Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin --- .../crypto/marvell/octeontx/otx_cptpf_ucode.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c index 40b482198ebc..a765eefb18c2 100644 --- a/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c +++ b/drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c @@ -286,6 +286,7 @@ static int process_tar_file(struct device *dev, struct tar_ucode_info_t *tar_info; struct otx_cpt_ucode_hdr *ucode_hdr; int ucode_type, ucode_size; + unsigned int code_length; /* * If size is less than microcode header size then don't report @@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev, if (get_ucode_type(ucode_hdr, &ucode_type)) return 0; - ucode_size = ntohl(ucode_hdr->code_length) * 2; + code_length = ntohl(ucode_hdr->code_length); + if (code_length >= INT_MAX / 2) { + dev_err(dev, "Invalid code_length %u\n", code_length); + return -EINVAL; + } + + ucode_size = code_length * 2; if (!ucode_size || (size < round_up(ucode_size, 16) + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { dev_err(dev, "Ucode %s invalid size\n", filename); @@ -886,6 +893,7 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode, { struct otx_cpt_ucode_hdr *ucode_hdr; const struct firmware *fw; + unsigned int code_length; int ret; set_ucode_filename(ucode, ucode_filename); @@ -896,7 +904,13 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode, ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data; memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ); ucode->ver_num = ucode_hdr->ver_num; - ucode->size = ntohl(ucode_hdr->code_length) * 2; + code_length = ntohl(ucode_hdr->code_length); + if (code_length >= INT_MAX / 2) { + dev_err(dev, "Ucode invalid code_length %u\n", code_length); + ret = -EINVAL; + goto release_fw; + } + ucode->size = code_length * 2; if (!ucode->size || (fw->size < round_up(ucode->size, 16) + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { dev_err(dev, "Ucode %s invalid size\n", ucode_filename); -- 2.35.1