| Message ID | 20240322205915.13305-1-amishin@t-argos.ru (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | [v2] crypto: bcm/spu2 - Add buffer size check | expand |
On Fri, Mar 22, 2024 at 11:59:15PM +0300, Aleksandr Mishin wrote: > In spu2_dump_omd() value of ptr is increased by ciph_key_len > instead of hash_iv_len which could lead to going beyond the > buffer boundaries. > Fix this bug by changing ciph_key_len to hash_iv_len. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") > Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> > --- > v2: Fix commit message according to the Linux kernel rules > > drivers/crypto/bcm/spu2.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Patch applied. Thanks.
diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c index 07989bb8c220..3fdc64b5a65e 100644 --- a/drivers/crypto/bcm/spu2.c +++ b/drivers/crypto/bcm/spu2.c @@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, if (hash_iv_len) { packet_log(" Hash IV Length %u bytes\n", hash_iv_len); packet_dump(" hash IV: ", ptr, hash_iv_len); - ptr += ciph_key_len; + ptr += hash_iv_len; } if (ciph_iv_len) {
In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> --- v2: Fix commit message according to the Linux kernel rules drivers/crypto/bcm/spu2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)