Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Mon, 19 Sep 2022 09:43:27 +0300
From:   Dan Carpenter <dan.carpenter@oracle.com>
To:     George Cherian <gcherian@marvell.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        David Daney <david.daney@cavium.com>,
        linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: [PATCH v2] crypto: cavium - prevent integer overflow loading firmware
Message-ID: <YygPj8aYTvApOQFB@kili>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?y6sV/2BBCu8vxXXqoJVCAAvlgNX53YY0MEyLqZL4b0P20UalK59pH8ExKvCH?=
 =?us-ascii?Q?7oTiEC4pm5qrqCP0aCsO1N03slH3gPU7Y0jLno7f0hxPBoUYrgmefZKIz/xr?=
 =?us-ascii?Q?H5h3bxevdK5TZCqTq7Fn8EbqvRH+wHZyJKPxhblloz1f+itWKS1rwaD3/sfM?=
 =?us-ascii?Q?uocNkY41nzFgFlzwIrhQaaGk5vBuobECrkMm3+q/i0kBT9szjv6Z19flBuFH?=
 =?us-ascii?Q?UkJzaPxLiwJjN4j/AQ5ilLkl52HF9ZYu6CsXkhMUUef8gPjPZXktjhjlA/a9?=
 =?us-ascii?Q?RV+QS1f6erOtU3cKgp5F3W44lnFoGAAPQ4t6VSgV8oiiewHjlBAEU8sXDe37?=
 =?us-ascii?Q?Lpmeep7KHXEG4CuN3g/I8H3qe3J+fd9SOuv8aKxUWcFJlUjqnXm4vDZMPHGR?=
 =?us-ascii?Q?6Bq9nxjGo0j4qqVt6+kFLQ+D1soGNDwIojMnV6kAq4gSRwPfTSzRp0958qua?=
 =?us-ascii?Q?Hu663+DVzCUPlL759O4p/GueWnGrSPJDh2OBqxMQEvXy5z008Bgvtbd3dEaC?=
 =?us-ascii?Q?jv8WseRgR+DWR80oO9RgkuFxvDsU36TKnP7hdQhTSQvjR9QQGX76Lx19c9iG?=
 =?us-ascii?Q?D+Crq0cnVCzCPapYmWy9Mym0kRKBLBy2ouZunMv5cLoln/Xzvc/573a3swio?=
 =?us-ascii?Q?wQ7O4YlsluebCUUv55O0SEjYO+ACkF4hie/q+PzyRRlVXBRC3dVuLYWAlm7E?=
 =?us-ascii?Q?sAGyQEIWNB7uhlgLEd0sqqCHUpKqxB/qwwor9nXLhrR9WSeRHHzfIlSZbRjj?=
 =?us-ascii?Q?QTQi1oxgGGh/7jkthjijqkZBLTxJU/lfTlaSosvWnOqttu8kRHVEIgWtXOt8?=
 =?us-ascii?Q?x8ZIZufxz9east5EzjohPA21UWvr5XgwN8wlG1iRkDchqw97akwhz9necx9y?=
 =?us-ascii?Q?uU0QZgNXZRRvjcfxHrOMjDr6A4BC/i7U0TLZpUSf1A04Sfgq/DRZyg1POmnK?=
 =?us-ascii?Q?rDUBCu3MlsVBkV8DK8a0mRsHoteE3r2Z5Mj5DfqbppgShdMN21KXjssDAQ15?=
 =?us-ascii?Q?NXMSEUYcCX7MV8ODsX0zweXOimWGJroCKxNrGC9z17K5jcc3Se2/lb/rD7mW?=
 =?us-ascii?Q?hnX/d15d06rd8JnWGhNLBTonuQKl/ms+Ygr7bJvB0smW+GkxICSu7+ScNdj9?=
 =?us-ascii?Q?0Y4KrCe2A+nLCd3QL1LB2MNeLhQVyYjYTK2dsVgOrthz4epm/NaQznbQrX58?=
 =?us-ascii?Q?vQXhSsEJzoBvrc1M55uXHw9dQaX70FuQ3/ZpvG9ms8ypr66FTBNg3QaVMTm7?=
 =?us-ascii?Q?DD9L/T0kOnY1O+drGITt+wFC8ia2eFrlM3CjcN1/SUQmJu1Au7JTzdli/npN?=
 =?us-ascii?Q?CZLZt7Lh5wb4r7yUrFCj0npITs1l5J/2vHNss8RwLD/CFbsVYy0yO7wzWu+b?=
 =?us-ascii?Q?tE7nMzIz3v/B+DGIEMBh2XYoieNREp3uCSs/IKH+TBrFdz+fWyFGi5+rJeD7?=
 =?us-ascii?Q?mgKTJRy/9x32eHszFvAEiAZkElgLF8+nBMrK4eM3BlCEYJQZVsOSYVJKqCoj?=
 =?us-ascii?Q?+VpbMD3ZpTs8TQQ0dPaLTrcMD90Q5YonZKEp3gaVYhWd0YHQEMEyJA5XUN/+?=
 =?us-ascii?Q?bmz/1nfD/nkyfpNGIsx5PYSOzQZDzJ9F9YiDJ8R3BFS5sUF1npWDR2Or9lcq?=
 =?us-ascii?Q?Dg=3D=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d0016a6-5243-46e9-ad04-08da9a0a46dd
X-MS-Exchange-CrossTenant-AuthSource: MWHPR1001MB2365.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Sep 2022 06:43:35.6567
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: imTJe+OzK7U4VWaxBz8hHw+zsTI14C4jIgiWPkz8owKAq/nUG4R52E4kJP0INw/4xaT6zJaLv26PgPCvm6wkqxJU4i0i9OcaTUsaFnGVFkQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH0PR10MB5244
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.205,Aquarius:18.0.895,Hydra:6.0.528,FMLib:17.11.122.1
 definitions=2022-09-19_03,2022-09-16_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 malwarescore=0
 spamscore=0 mlxscore=0 adultscore=0 mlxlogscore=999 suspectscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2209130000
 definitions=main-2209190044
X-Proofpoint-ORIG-GUID: ln3GwqAGMBMp8g84e-Zel6PV7ma397JS
X-Proofpoint-GUID: ln3GwqAGMBMp8g84e-Zel6PV7ma397JS
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
        RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

The "code_length" value comes from the firmware file.  If your firmware
is untrusted realistically there is probably very little you can do to
protect yourself.  Still we try to limit the damage as much as possible.
Also Smatch marks any data read from the filesystem as untrusted and
prints warnings if it not capped correctly.

The "ntohl(ucode->code_length) * 2" multiplication can have an
integer overflow.

Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: The first code removed the " * 2" so it would have caused immediate
    memory corruption and crashes.

    Also in version 2 I combine the "if (!mcode->code_size) {" check
    with the overflow check for better readability.

 drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
index 8c32d0eb8fcf..6872ac344001 100644
--- a/drivers/crypto/cavium/cpt/cptpf_main.c
+++ b/drivers/crypto/cavium/cpt/cptpf_main.c
@@ -253,6 +253,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
 	const struct firmware *fw_entry;
 	struct device *dev = &cpt->pdev->dev;
 	struct ucode_header *ucode;
+	unsigned int code_length;
 	struct microcode *mcode;
 	int j, ret = 0;
 
@@ -263,11 +264,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
 	ucode = (struct ucode_header *)fw_entry->data;
 	mcode = &cpt->mcode[cpt->next_mc_idx];
 	memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
-	mcode->code_size = ntohl(ucode->code_length) * 2;
-	if (!mcode->code_size) {
+	code_length = ntohl(ucode->code_length);
+	if (code_length == 0 || code_length >= INT_MAX / 2) {
 		ret = -EINVAL;
 		goto fw_release;
 	}
+	mcode->code_size = code_length * 2;
 
 	mcode->is_ae = is_ae;
 	mcode->core_mask = 0ULL;
-- 
2.35.1