Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3195224rwb; Thu, 29 Sep 2022 23:16:36 -0700 (PDT) X-Google-Smtp-Source: AMsMyM777/OpYk61VuAAiMTZz72SpNJI94PLVNzW6XAcfa70CGTpmF7DeZ8Ge9b8Xb2qlSFTqACQ X-Received: by 2002:a05:6a00:3390:b0:547:d32e:b5d3 with SMTP id cm16-20020a056a00339000b00547d32eb5d3mr7450618pfb.23.1664518596663; Thu, 29 Sep 2022 23:16:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664518596; cv=none; d=google.com; s=arc-20160816; b=UgP8+/b/OS/py8zDwgXiDweF2Ikl/dOorMfXkTZ9LNx6MUw6e+x+KxZCQh4fWuO767 4wocAj48loK5/X5sDros7asmTXy6sQniDThzN2jzNV27jXqWnB6pUcnJIVcZ265xb3vm BJAFOzOUIt54FGQPP6uJg6jTBeVwU8vKPnCHO1yxll1N3XNu/aqlLp4oJtCuICmTZ+mI ERDcPdvdMs405Iu62YF7c7y933hZgDHT/zETpApreEc7VdSeH06zGH2Sin0emQ2W021q CGA234ZhR7vPs6F+xXDBfGd9gaAsGtJGbybpXiyF8EbYcDw+LZWdBKstdhdWqXHv1fjA oyyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=2fnC41JTh+sWqd3qvh84jUof9r+BMHJuUThCx//pw58=; b=VwrN+5znka4Y1AEmtyRNGHacJcm2oC5UEenUmOZlgMIPDOYXcvMJvDUSXbDHw0Px7V oTw32BuPVAP2H0L+OE23KnoW5Kwx5xx6mq8qEka3cex6VLxyXWbq395cMVhAcMcDfR6u NaFdCOyFVQJTiAoUtWYZDts9JqV7Mck5LNwgzBJbZzG6cC0VDDuptbF28y5q2vWVSiQp 86DBVOQxJHuo54goxz50ieguK/TC5wGmm9TrWoqf4avhxIhqZTtoqEAaM4Uh8twUfCWX ELuZYOOg9nXuhfkZ1gz72RHFurWQdZUQBWaE5qEggrZblSK2t43fKTMHnqpaW7//XWAl 964w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f4-20020a655904000000b00439286e51a2si2040074pgu.155.2022.09.29.23.16.22; Thu, 29 Sep 2022 23:16:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230174AbiI3GOV (ORCPT + 99 others); Fri, 30 Sep 2022 02:14:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44582 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230163AbiI3GOT (ORCPT ); Fri, 30 Sep 2022 02:14:19 -0400 Received: from fornost.hmeau.com (helcar.hmeau.com [216.24.177.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BCB0132D41; Thu, 29 Sep 2022 23:14:18 -0700 (PDT) Received: from gwarestrin.arnor.me.apana.org.au ([192.168.103.7]) by fornost.hmeau.com with smtp (Exim 4.94.2 #2 (Debian)) id 1oe9Hm-00A54Y-HK; Fri, 30 Sep 2022 16:14:11 +1000 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Fri, 30 Sep 2022 14:14:10 +0800 Date: Fri, 30 Sep 2022 14:14:10 +0800 From: Herbert Xu To: Dan Carpenter Cc: George Cherian , "David S. Miller" , David Daney , linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: Re: [PATCH v2] crypto: cavium - prevent integer overflow loading firmware Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, Sep 19, 2022 at 09:43:27AM +0300, Dan Carpenter wrote: > The "code_length" value comes from the firmware file. If your firmware > is untrusted realistically there is probably very little you can do to > protect yourself. Still we try to limit the damage as much as possible. > Also Smatch marks any data read from the filesystem as untrusted and > prints warnings if it not capped correctly. > > The "ntohl(ucode->code_length) * 2" multiplication can have an > integer overflow. > > Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine") > Signed-off-by: Dan Carpenter > --- > v2: The first code removed the " * 2" so it would have caused immediate > memory corruption and crashes. > > Also in version 2 I combine the "if (!mcode->code_size) {" check > with the overflow check for better readability. > > drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt