tegra-cryptodev:check valid SHA message length
Konduri Praveen [Wed, 3 May 2017 05:11:36 +0000 (10:11 +0530)]
SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.

Fix by checking message length for SHA before
copying from user space.

Bug 1883640

Change-Id: I08e7a6037251822b7e8a3e1b7f00f71dc0495aba
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474442
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

drivers/misc/tegra-cryptodev.c
drivers/misc/tegra-cryptodev.h

index 89d72bd..acc893c 100644 (file)
@@ -400,6 +400,11 @@ static int tegra_crypto_sha(struct file *filp, struct tegra_crypto_ctx *ctx,
        char sha_algo[6][10] = {"sha1", "sha224", "sha256",
                                "sha384", "sha512", "cmac(aes)"};
 
+       if (sha_req->plaintext_sz > PAGE_SIZE) {
+               pr_err("alg:hash: invalid plaintext_sz for sha_req\n");
+               return -EINVAL;
+       }
+
        tfm = crypto_alloc_ahash(sha_req->algo, 0, 0);
        if (IS_ERR(tfm)) {
                pr_err("alg:hash:Failed to load transform for %s:%ld\n",
index 9ab2718..6f14a23 100644 (file)
@@ -143,7 +143,7 @@ struct tegra_sha_req {
        unsigned char *algo;
        unsigned char *plaintext;
        unsigned char *result;
-       int plaintext_sz;
+       unsigned int plaintext_sz;
 };
 #define TEGRA_CRYPTO_IOCTL_GET_SHA     \
                _IOWR(0x98, 104, struct tegra_sha_req)
@@ -151,11 +151,11 @@ struct tegra_sha_req {
 #ifdef CONFIG_COMPAT
 struct tegra_sha_req_32 {
        char key[TEGRA_CRYPTO_MAX_KEY_SIZE];
-       unsigned int keylen;
+       __u32 keylen;
        __u32 algo;
        __u32 plaintext;
        __u32 result;
-       int plaintext_sz;
+       __u32 plaintext_sz;
 };
 #define TEGRA_CRYPTO_IOCTL_GET_SHA_32  \
                _IOWR(0x98, 104, struct tegra_sha_req_32)