From patchwork Fri Apr 14 12:31:31 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Power, Ciara" <ciara.power@intel.com>
X-Patchwork-Id: 126079
X-Patchwork-Delegate: gakhil@marvell.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 749A542941;
	Fri, 14 Apr 2023 14:31:41 +0200 (CEST)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 4762140144;
	Fri, 14 Apr 2023 14:31:41 +0200 (CEST)
Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31])
 by mails.dpdk.org (Postfix) with ESMTP id 39A2A400D5;
 Fri, 14 Apr 2023 14:31:39 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1681475499; x=1713011499;
 h=from:to:cc:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=B2bDetfFznCAutddQavUFvU4jtT1QG9rfzKe5dthoaE=;
 b=cISRkwRZChzISnl0ZHnym6XPDlfxjqn1qaEJyPlAJ0MgpKHrYWps0f4e
 WAT3p2NCfCcvXGqQzTcMMFqugjW4CiAYRwA1NJHhy/1nmxdYonFx1mXcY
 /m/dDF5iU3y7hxmqQ0NeYkVSeuyH+vdfxJgFxp06kNWOUDW77iHnchuFl
 VMGT7DWSoOsKj4cuMsUksUCfJ5TdCs2ANHm4CCe05rjoPX7Of+R2tMPCi
 PxCXXik89WXs4mMWfIZpTh+are9twAsN2GUNnaPXNbud59slACI8fio7Z
 PtwwA/Wol6oA/+s7RFJWgpn3HarIc9JHH5x5GLAA2nmN+7pCUicplWEL3 w==;
X-IronPort-AV: E=McAfee;i="6600,9927,10679"; a="407324776"
X-IronPort-AV: E=Sophos;i="5.99,195,1677571200"; d="scan'208";a="407324776"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
 by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 14 Apr 2023 05:31:38 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6600,9927,10679"; a="864206416"
X-IronPort-AV: E=Sophos;i="5.99,195,1677571200"; d="scan'208";a="864206416"
Received: from silpixa00400355.ir.intel.com (HELO
 silpixa00400355.ger.corp.intel.com) ([10.237.222.80])
 by orsmga005.jf.intel.com with ESMTP; 14 Apr 2023 05:31:37 -0700
From: Ciara Power <ciara.power@intel.com>
To: Kai Ji <kai.ji@intel.com>
Cc: dev@dpdk.org,
	Ciara Power <ciara.power@intel.com>,
	stable@dpdk.org
Subject: [PATCH] crypto/qat: fix stack buffer overflow in SGL loop
Date: Fri, 14 Apr 2023 12:31:31 +0000
Message-Id: <20230414123131.575412-1-ciara.power@intel.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

The cvec pointer was incremented incorrectly in the case where the
length of remaining_off equals cvec len, and there is no next cvec.
This led to cvec->iova being invalid memory to access.

Instead, only increment the cvec pointer when we know there is a next
cvec to point to, by checking the i value, which represents the number
of cvecs available.
If i is 0, then no need to increment as the current cvec is the last one.

Fixes: a815a04cea05 ("crypto/qat: support symmetric build op request")
Cc: kai.ji@intel.com
Cc: stable@dpdk.org

Signed-off-by: Ciara Power <ciara.power@intel.com>
Acked-by: Kai Ji <kai.ji@intel.com>
Acked-by: Brian Dooley <brian.dooley@intel.com>
---
 drivers/crypto/qat/dev/qat_crypto_pmd_gens.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
index 524c291340..092265631b 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
@@ -682,7 +682,8 @@ enqueue_one_chain_job_gen1(struct qat_sym_session *ctx,
 		while (remaining_off >= cvec->len && i >= 1) {
 			i--;
 			remaining_off -= cvec->len;
-			cvec++;
+			if (i)
+				cvec++;
 		}
 
 		auth_iova_end = cvec->iova + remaining_off;