Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp3902875rwb; Fri, 30 Sep 2022 09:50:56 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7a8XVp+Iln3708KyIRAQUO4eJOMdDPe5W3V5klPH6rc29q/Sa4s49CwKgF3XKyWyUcs4j/ X-Received: by 2002:a63:2a81:0:b0:43c:5fa6:1546 with SMTP id q123-20020a632a81000000b0043c5fa61546mr8369135pgq.43.1664556656623; Fri, 30 Sep 2022 09:50:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664556656; cv=none; d=google.com; s=arc-20160816; b=Q7ZEh//lT186wQkqh9m3w/hNsPP+90QazO00Ov9NHrfOe3q+Qm2nTnh6giFAQKjJEw JqEVU0lyHsXwY8ZbqC9pkH9Ey40xpEgtYUHf0siQJiZBN+ETrBCJEpobs2smHVh7fw81 NY2odfDeTJ1VdjpBbny4cU/heybPw5TRbouUG2+WwV5ODQYG3r6cX4tPcHCFylh828oB oShZXo8ZA2X1Hu5GtuX4FnIK1o3vNRTQ+hU9Gz6PmjzLhAz3k2faQqA6FGsWCmhClvC8 ytT41YfrwpPb6gSQEXKRqhiN6EZ2inzaWyLwpNLPSWGWKqJeLKV7YIbkHJ1PMAyF+qwX q6XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=jLkrmIncG6x63mJFg//hdV3ZNQKV4UFleufpu0UUaTk=; b=veqjLZ6USQmVU0ptxXABviUwsFI4tGb5msEVhJaFlZiaoDYWRxfBf2YRRNmDI7nIb+ RYWF21B0VP0P1lLf3Wm40Cr40VZoV3jg8WoCaVEqN9o7C+miCnLTng1YekcNVgi3vOSj oCtyrPvlTINosDA31w0ozkL+M4s980h1er7TxL1i3towkC//MmkOpRUB7yWLJMADavGa H2TYJ4r7jnDqDwye/1pgWFyzjic0Mcqd5Z8endzyBaJA9c8XkAA4F2pvVfwwGuyEVrNn lRYK+F+EcsOV6f4pwx3wyOgUtrvUjUzXc635s8Zeb2gxgpbGvZ+P7Ji6FJuq4WUC/u0X EKsw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q21-20020a631f55000000b0043ac3ec9d9esi3423462pgm.595.2022.09.30.09.50.22; Fri, 30 Sep 2022 09:50:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229971AbiI3Qke (ORCPT + 99 others); Fri, 30 Sep 2022 12:40:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232098AbiI3Qkb (ORCPT ); Fri, 30 Sep 2022 12:40:31 -0400 Received: from smtp.smtpout.orange.fr (smtp09.smtpout.orange.fr [80.12.242.131]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BACDAFA5D8 for ; Fri, 30 Sep 2022 09:40:30 -0700 (PDT) Received: from [192.168.1.18] ([86.243.100.34]) by smtp.orange.fr with ESMTPA id eIwYoMAPUr5PdeIwYoJg1U; Fri, 30 Sep 2022 18:32:58 +0200 X-ME-Helo: [192.168.1.18] X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Fri, 30 Sep 2022 18:32:58 +0200 X-ME-IP: 86.243.100.34 Message-ID: Date: Fri, 30 Sep 2022 18:32:53 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.11.0 Subject: Re: [PATCH v2] crypto: cavium - prevent integer overflow loading firmware Content-Language: fr To: Dan Carpenter , George Cherian Cc: Herbert Xu , "David S. Miller" , David Daney , linux-crypto@vger.kernel.org, kernel-janitors@vger.kernel.org References: From: Christophe JAILLET In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Le 19/09/2022 à 08:43, Dan Carpenter a écrit : > The "code_length" value comes from the firmware file. If your firmware > is untrusted realistically there is probably very little you can do to > protect yourself. Still we try to limit the damage as much as possible. > Also Smatch marks any data read from the filesystem as untrusted and > prints warnings if it not capped correctly. > > The "ntohl(ucode->code_length) * 2" multiplication can have an > integer overflow. > > Fixes: 9e2c7d99941d ("crypto: cavium - Add Support for Octeon-tx CPT Engine") > Signed-off-by: Dan Carpenter > --- > v2: The first code removed the " * 2" so it would have caused immediate > memory corruption and crashes. > > Also in version 2 I combine the "if (!mcode->code_size) {" check > with the overflow check for better readability. > > drivers/crypto/cavium/cpt/cptpf_main.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c > index 8c32d0eb8fcf..6872ac344001 100644 > --- a/drivers/crypto/cavium/cpt/cptpf_main.c > +++ b/drivers/crypto/cavium/cpt/cptpf_main.c > @@ -253,6 +253,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) > const struct firmware *fw_entry; > struct device *dev = &cpt->pdev->dev; > struct ucode_header *ucode; > + unsigned int code_length; > struct microcode *mcode; > int j, ret = 0; > > @@ -263,11 +264,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae) > ucode = (struct ucode_header *)fw_entry->data; > mcode = &cpt->mcode[cpt->next_mc_idx]; > memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ); > - mcode->code_size = ntohl(ucode->code_length) * 2; > - if (!mcode->code_size) { > + code_length = ntohl(ucode->code_length); > + if (code_length == 0 || code_length >= INT_MAX / 2) { Hi, out of curiosity, 'code_length' is 'unsigned int' 'mcode->code_size' is u32. Why not UINT_MAX / 2? CJ > ret = -EINVAL; > goto fw_release; > } > + mcode->code_size = code_length * 2; > > mcode->is_ae = is_ae; > mcode->core_mask = 0ULL;