Commit 8720bd0c authored by Aleksandr Mishin's avatar Aleksandr Mishin Committed by liwei
Browse files

crypto: bcm - Fix pointer arithmetic 

mainline inclusion
from mainline-v6.10-rc1
commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IA6S5T
CVE: CVE-2024-38579

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9



--------------------------------

In spu2_dump_omd() value of ptr is increased by ciph_key_len
instead of hash_iv_len which could lead to going beyond the
buffer boundaries.
Fix this bug by changing ciph_key_len to hash_iv_len.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 9d12ba86 ("crypto: brcm - Add Broadcom SPU driver")
Signed-off-by: default avatarAleksandr Mishin <amishin@t-argos.ru>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatardengquan <dengquan9@huawei.com>
parent 986fcc8f

drivers/crypto/bcm/spu2.c

+1 −1
Original line number Diff line number Diff line
@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len, 
	if (hash_iv_len) {

		packet_log("  Hash IV Length %u bytes\n", hash_iv_len);

		packet_dump("  hash IV: ", ptr, hash_iv_len);

		ptr += ciph_key_len;

		ptr += hash_iv_len;

	}



	if (ciph_iv_len) {