crypto/qat: fix missing copy guards in asym mod
Checks
Commit Message
This commit fixes missing guards for size of memcpy,
it is needed to prevent faulty access when incorrect length
passed from the user.
Fixes: 3b78aa7b2317 ("crypto/qat: refactor asymmetric crypto functions")
Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
---
drivers/crypto/qat/qat_asym.c | 8 ++++++++
1 file changed, 8 insertions(+)
Comments
> -----Original Message-----
> From: Kusztal, ArkadiuszX <arkadiuszx.kusztal@intel.com>
> Sent: Friday, June 17, 2022 12:20 PM
> To: dev@dpdk.org
> Cc: gakhil@marvell.com; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Kusztal,
> ArkadiuszX <arkadiuszx.kusztal@intel.com>
> Subject: [PATCH] crypto/qat: fix missing copy guards in asym mod
>
> This commit fixes missing guards for size of memcpy,
> it is needed to prevent faulty access when incorrect length
> passed from the user.
>
> Fixes: 3b78aa7b2317 ("crypto/qat: refactor asymmetric crypto functions")
>
> Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> ---
Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
> > This commit fixes missing guards for size of memcpy,
> > it is needed to prevent faulty access when incorrect length
> > passed from the user.
> >
> > Fixes: 3b78aa7b2317 ("crypto/qat: refactor asymmetric crypto functions")
> >
> > Signed-off-by: Arek Kusztal <arkadiuszx.kusztal@intel.com>
> > ---
> Acked-by: Fan Zhang <roy.fan.zhang@intel.com>
Applied to dpdk-next-crypto
Cc: stable@dpdk.org
@@ -248,6 +248,10 @@ modexp_collect(struct rte_crypto_asym_op *asym_op,
uint32_t alg_bytesize = cookie->alg_bytesize;
uint8_t *modexp_result = asym_op->modex.result.data;
+ if (n.length > alg_bytesize) {
+ QAT_LOG(ERR, "Incorrect length of modexp modulus");
+ return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ }
rte_memcpy(modexp_result,
cookie->output_array[0] + alg_bytesize
- n.length, n.length);
@@ -304,6 +308,10 @@ modinv_collect(struct rte_crypto_asym_op *asym_op,
uint8_t *modinv_result = asym_op->modinv.result.data;
uint32_t alg_bytesize = cookie->alg_bytesize;
+ if (n.length > alg_bytesize) {
+ QAT_LOG(ERR, "Incorrect length of modinv modulus");
+ return RTE_CRYPTO_OP_STATUS_INVALID_ARGS;
+ }
rte_memcpy(modinv_result + (asym_op->modinv.result.length
- n.length),
cookie->output_array[0] + alg_bytesize