Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3195224rwb;
        Thu, 29 Sep 2022 23:16:36 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM777/OpYk61VuAAiMTZz72SpNJI94PLVNzW6XAcfa70CGTpmF7DeZ8Ge9b8Xb2qlSFTqACQ
X-Received: by 2002:a05:6a00:3390:b0:547:d32e:b5d3 with SMTP id cm16-20020a056a00339000b00547d32eb5d3mr7450618pfb.23.1664518596663;
        Thu, 29 Sep 2022 23:16:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1664518596; cv=none;
        d=google.com; s=arc-20160816;
        b=UgP8+/b/OS/py8zDwgXiDweF2Ikl/dOorMfXkTZ9LNx6MUw6e+x+KxZCQh4fWuO767
         4wocAj48loK5/X5sDros7asmTXy6sQniDThzN2jzNV27jXqWnB6pUcnJIVcZ265xb3vm
         BJAFOzOUIt54FGQPP6uJg6jTBeVwU8vKPnCHO1yxll1N3XNu/aqlLp4oJtCuICmTZ+mI
         ERDcPdvdMs405Iu62YF7c7y933hZgDHT/zETpApreEc7VdSeH06zGH2Sin0emQ2W021q
         CGA234ZhR7vPs6F+xXDBfGd9gaAsGtJGbybpXiyF8EbYcDw+LZWdBKstdhdWqXHv1fjA
         oyyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date;
        bh=2fnC41JTh+sWqd3qvh84jUof9r+BMHJuUThCx//pw58=;
        b=VwrN+5znka4Y1AEmtyRNGHacJcm2oC5UEenUmOZlgMIPDOYXcvMJvDUSXbDHw0Px7V
         oTw32BuPVAP2H0L+OE23KnoW5Kwx5xx6mq8qEka3cex6VLxyXWbq395cMVhAcMcDfR6u
         NaFdCOyFVQJTiAoUtWYZDts9JqV7Mck5LNwgzBJbZzG6cC0VDDuptbF28y5q2vWVSiQp
         86DBVOQxJHuo54goxz50ieguK/TC5wGmm9TrWoqf4avhxIhqZTtoqEAaM4Uh8twUfCWX
         ELuZYOOg9nXuhfkZ1gz72RHFurWQdZUQBWaE5qEggrZblSK2t43fKTMHnqpaW7//XWAl
         964w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f4-20020a655904000000b00439286e51a2si2040074pgu.155.2022.09.29.23.16.22;
        Thu, 29 Sep 2022 23:16:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230174AbiI3GOV (ORCPT <rfc822;logchen2009@gmail.com>
        + 99 others); Fri, 30 Sep 2022 02:14:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44582 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230163AbiI3GOT (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 30 Sep 2022 02:14:19 -0400
Received: from fornost.hmeau.com (helcar.hmeau.com [216.24.177.18])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BCB0132D41;
        Thu, 29 Sep 2022 23:14:18 -0700 (PDT)
Received: from gwarestrin.arnor.me.apana.org.au ([192.168.103.7])
        by fornost.hmeau.com with smtp (Exim 4.94.2 #2 (Debian))
        id 1oe9Hm-00A54Y-HK; Fri, 30 Sep 2022 16:14:11 +1000
Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Fri, 30 Sep 2022 14:14:10 +0800
Date:   Fri, 30 Sep 2022 14:14:10 +0800
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     Dan Carpenter <dan.carpenter@oracle.com>
Cc:     George Cherian <gcherian@marvell.com>,
        "David S. Miller" <davem@davemloft.net>,
        David Daney <david.daney@cavium.com>,
        linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v2] crypto: cavium - prevent integer overflow loading
 firmware
Message-ID: <YzaJMu191++1ptvq@gondor.apana.org.au>
References: <YygPj8aYTvApOQFB@kili>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <YygPj8aYTvApOQFB@kili>
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Mon, Sep 19, 2022 at 09:43:27AM +0300, Dan Carpenter wrote:
> The "code_length" value comes from the firmware file.  If your firmware
> is untrusted realistically there is probably very little you can do to
> protect yourself.  Still we try to limit the damage as much as possible.
> Also Smatch marks any data read from the filesystem as untrusted and
> prints warnings if it not capped correctly.
> 
> The "ntohl(ucode->code_length) * 2" multiplication can have an
> integer overflow.
> 
> Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> v2: The first code removed the " * 2" so it would have caused immediate
>     memory corruption and crashes.
> 
>     Also in version 2 I combine the "if (!mcode->code_size) {" check
>     with the overflow check for better readability.
> 
>  drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt