Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp356453rwn; Thu, 8 Sep 2022 02:42:36 -0700 (PDT) X-Google-Smtp-Source: AA6agR5dadHR10i1wmqir/cCt/4sb8hAXgXc6h3IeNKdvW37MHDXtczCx7b4TXfrOxBMGhY76Nkj X-Received: by 2002:a17:90a:a003:b0:200:7642:a6e5 with SMTP id q3-20020a17090aa00300b002007642a6e5mr3247003pjp.10.1662630156645; Thu, 08 Sep 2022 02:42:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662630156; cv=none; d=google.com; s=arc-20160816; b=S6UKtUICg8u39IyQtFnM7R1NTBoGh+iOq5DamrcIN3VJWVSRSquzZIrFww8w4pTd+3 vkkbUk4mnGAuTUyvdvsdJGUOAFgod02gyU1B2DZVROwhf0GQnPufXjKEtc4axQwa2b/q +QBpbVank6N+NtxgKj1XZCTcctF0NUqmZ3hFpjoyokWZD95gI33jVfYi2ZY2OjanKFhh sBSQ3cUvOdP533JvOFYe7XSO6sN5X1EFec2IHacn5DkubcCLG71mciEeNES+5OpNOYcX FpSdseNjj85AVNNS992t1y9ZkQk9qLVWNtU3VrwIW9xT7AC0u9t263TFGjZd65hk1W9k J3KQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=vooY/MoFTMPHpLE4MM+mRFx12UcN/TqQMefc5rcUghs=; b=UuJLOrdQYLqgsyYDtS9dby7EuuUPsbEhM9wJjAeMTEYEP4HyBhX/kvKHZoElE6Yx5d bLOLa47xmANYcbOgo/vc9Q8kx0rIWQwYU2H9plsFxMpxem2uh/epwZfShddJawopCrJP +d3lPWTWOdVWMHnZT82E7XfJddHS0jWT+YReD3PaS4Bpstdv3tCXk/Ncn7kUSIc05KSN DpReF1jO3o0PbRieOZ+XomCIabUIuLmUkkTLRR3luCG277kkSDakcMeqRMnDa9l9szDH LYg5RhHhjHaerFUey1NgC8vsvdNUfBFVMbP7cLDpJAXG2nOJVdJhI7yejd7OrCzrQPZZ +Ccg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n7-20020a170902f60700b0017280be5a02si18892940plg.589.2022.09.08.02.42.13; Thu, 08 Sep 2022 02:42:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229991AbiIHJfU (ORCPT + 99 others); Thu, 8 Sep 2022 05:35:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229674AbiIHJfT (ORCPT ); Thu, 8 Sep 2022 05:35:19 -0400 Received: from fornost.hmeau.com (helcar.hmeau.com [216.24.177.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C37972EC6; Thu, 8 Sep 2022 02:35:12 -0700 (PDT) Received: from gwarestrin.arnor.me.apana.org.au ([192.168.103.7]) by fornost.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1oWDvm-002OS8-HJ; Thu, 08 Sep 2022 19:34:43 +1000 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Thu, 08 Sep 2022 17:34:42 +0800 Date: Thu, 8 Sep 2022 17:34:42 +0800 From: Herbert Xu To: Dan Carpenter Cc: Boris Brezillon , Arnaud Ebalard , Srujana Challa , "David S. Miller" , Wolfram Sang , Giovanni Cabiddu , Lukasz Bartosik , linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [PATCH] crypto: marvell/octeontx - prevent integer overflows Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Sep 01, 2022 at 06:32:09PM +0300, Dan Carpenter wrote: > > @@ -303,7 +304,13 @@ static int process_tar_file(struct device *dev, > if (get_ucode_type(ucode_hdr, &ucode_type)) > return 0; > > - ucode_size = ntohl(ucode_hdr->code_length) * 2; > + code_length = ntohl(ucode_hdr->code_length); > + if (code_length >= INT_MAX / 2) { > + dev_err(dev, "Invalid code_length %u\n", code_length); > + return -EINVAL; > + } > + > + ucode_size = code_length * 2; > if (!ucode_size || (size < round_up(ucode_size, 16) + > sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { > dev_err(dev, "Ucode %s invalid size\n", filename); How come you didn't add a "ucode_size > size" check like you did below? > @@ -896,9 +904,16 @@ static int ucode_load(struct device *dev, struct otx_cpt_ucode *ucode, > ucode_hdr = (struct otx_cpt_ucode_hdr *) fw->data; > memcpy(ucode->ver_str, ucode_hdr->ver_str, OTX_CPT_UCODE_VER_STR_SZ); > ucode->ver_num = ucode_hdr->ver_num; > - ucode->size = ntohl(ucode_hdr->code_length) * 2; > - if (!ucode->size || (fw->size < round_up(ucode->size, 16) > - + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { > + code_length = ntohl(ucode_hdr->code_length); > + if (code_length >= INT_MAX / 2) { > + ret = -EINVAL; > + goto release_fw; > + } > + ucode->size = code_length * 2; > + if (!ucode->size || > + ucode->size > fw->size || > + (fw->size < round_up(ucode->size, 16) + > + sizeof(struct otx_cpt_ucode_hdr) + OTX_CPT_UCODE_SIGN_LEN)) { > dev_err(dev, "Ucode %s invalid size\n", ucode_filename); > ret = -EINVAL; > goto release_fw; > -- > 2.35.1 Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt