crypto: msm: Check destination buffer write access
Use VERIFY_WRITE to check write access to destination buffers
before writing to them.
Change-Id: If9708695e85659bb25e13762c54dd50abd9577c7
Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
index c726694..0b2714a 100644
--- a/drivers/crypto/msm/qcedev.c
+++ b/drivers/crypto/msm/qcedev.c
@@ -1413,12 +1413,37 @@
return -EFAULT;
/* Verify Destination Address's */
- if (areq->cipher_op_req.in_place_op != 1)
- for (i = 0; i < areq->cipher_op_req.entries; i++)
- if (!access_ok(VERIFY_READ,
- (void __user *)areq->cipher_op_req.vbuf.dst[i].vaddr,
- areq->cipher_op_req.vbuf.dst[i].len))
- return -EFAULT;
+ if (creq->in_place_op != 1) {
+ for (i = 0, total = 0; i < QCEDEV_MAX_BUFFERS; i++) {
+ if ((areq->cipher_op_req.vbuf.dst[i].vaddr != 0) &&
+ (total < creq->data_len)) {
+ if (!access_ok(VERIFY_WRITE,
+ (void __user *)creq->vbuf.dst[i].vaddr,
+ creq->vbuf.dst[i].len)) {
+ pr_err("%s:DST WR_VERIFY err %d=0x%x\n",
+ __func__, i,
+ (u32)creq->vbuf.dst[i].vaddr);
+ return -EFAULT;
+ }
+ total += creq->vbuf.dst[i].len;
+ }
+ }
+ } else {
+ for (i = 0, total = 0; i < creq->entries; i++) {
+ if (total < creq->data_len) {
+ if (!access_ok(VERIFY_WRITE,
+ (void __user *)creq->vbuf.src[i].vaddr,
+ creq->vbuf.src[i].len)) {
+ pr_err("%s:SRC WR_VERIFY err %d=0x%x\n",
+ __func__, i,
+ (u32)creq->vbuf.src[i].vaddr);
+ return -EFAULT;
+ }
+ total += creq->vbuf.src[i].len;
+ }
+ }
+ }
+ total = 0;
if (areq->cipher_op_req.mode == QCEDEV_AES_MODE_CTR)
byteoffset = areq->cipher_op_req.byteoffset;