commit 9e70f2949364035043545a802f7f0ebb4d85202e
author AnilKumar Chimata <anilc@codeaurora.org> Fri Oct 04 19:34:53 2013 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Tue Nov 19 06:55:15 2013 -0800
tree ca505f10eab08ccf472aae91382a4db67ef74d42
parent 6f51c44f07bf6e393e93e87fc2e76c7b1b35d577

crypto: msm: Fix issues related to non-zero byteoffset input

Fix buffer overflow for a non-zero byteoffset value.

Also fixes memory leak issue by adding data_len check in check_params.
One of the scenarios data_len can be less than byteoffset which results
in memory leak with huge data length, which might cause the kernel panic.

Change-Id: I3f773673219f45dad4f17499b1ee0feda2aff1f7
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>

drivers/crypto/msm/qcedev.c

diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index 81a90fe..25446b2 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1339,7 +1339,7 @@
 				areq->cipher_op_req.vbuf.src[0].len))
 		return -EFAULT;
 
-	k_align_src += areq->cipher_op_req.vbuf.src[0].len;
+	k_align_src += byteoffset + areq->cipher_op_req.vbuf.src[0].len;
 
 	for (i = 1; i < areq->cipher_op_req.entries; i++) {
 		user_src =
@@ -1701,6 +1701,13 @@
 			goto error;
 		}
 	}
+
+	if (req->data_len < req->byteoffset) {
+		pr_err("%s: req data length %u is less than byteoffset %u\n",
+				__func__, req->data_len, req->byteoffset);
+		goto error;
+	}
+
 	/* Ensure zer ivlen for ECB  mode  */
 	if (req->ivlen > 0) {
 		if ((req->mode == QCEDEV_AES_MODE_ECB) ||