diff options
author | Franck LENORMAND <franck.lenormand@nxp.com> | 2018-11-27 14:18:13 +0100 |
---|---|---|
committer | Jason Liu <jason.hui.liu@nxp.com> | 2019-02-12 10:35:35 +0800 |
commit | c9b8380c56ccda84dfcd27e225c716d2076f8532 (patch) | |
tree | c7fe58899710671b17b401740384eb307ecb6962 /drivers/crypto/mxs-dcp.c | |
parent | fd6a6ac1ebfb174eebe62ed92c2c2679b362498e (diff) |
MLK-20204: drivers: crypto: dcp: Check we have input data for AES
If the input scatter gather table is wrongly built (no entries), the
code will try to copy memory which is not allowed.
Coverity Explanation:
drivers/crypto/mxs-dcp.c:388: CID 5233058 (#1 of 1):
Type: Out-of-bounds access (OVERRUN)
Classification: Unclassified
Severity: Unspecified
Action: Modeling Required
Owner: nxa21133
First detected on 2018-10-16.
drivers/crypto/mxs-dcp.c:297:
1. alias: Assigning: "out_buf" = "sdcp->coh->aes_out_buf". "out_buf"
now points to byte 0 of "sdcp->coh->aes_out_buf" (which consists of
4096 bytes).
drivers/crypto/mxs-dcp.c:301:
2. assignment: Assigning: "last_out_len" = "0U".
drivers/crypto/mxs-dcp.c:316:
3. path: Condition "!rctx->ecb", taking true branch.
drivers/crypto/mxs-dcp.c:321:
4. path: Falling through to end of if statement.
drivers/crypto/mxs-dcp.c:325:
5. path: Condition "i < nents", taking false branch.
drivers/crypto/mxs-dcp.c:386:
6. path: Condition "!rctx->ecb", taking true branch.
drivers/crypto/mxs-dcp.c:387:
7. path: Condition "rctx->enc", taking true branch.
drivers/crypto/mxs-dcp.c:388:
8. overrun-buffer-arg: Overrunning buffer pointed to by "out_buf +
(last_out_len - 16U)" of 4096 bytes by passing it to a function which
accesses it at byte offset 4294967295 using argument "16U".
Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Diffstat (limited to 'drivers/crypto/mxs-dcp.c')
-rw-r--r-- | drivers/crypto/mxs-dcp.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c index c94481739306..4915b9187477 100644 --- a/drivers/crypto/mxs-dcp.c +++ b/drivers/crypto/mxs-dcp.c @@ -310,6 +310,12 @@ static int mxs_dcp_aes_block_crypt(struct crypto_async_request *arq) actx->fill = 0; + /* + * We are not supporting the case where there is no message to encrypt + */ + if (nents == 0) + return -EINVAL; + /* Copy the key from the temporary location. */ memcpy(key, actx->key, actx->key_len); |