crypto: bcm - Fix pointer arithmetic

PlaidCat · PlaidCat · commit 9e03dd2cf358 · 2024-09-12T13:28:20.000-04:00
jira LE-1907 cve CVE-2024-38579 Rebuild_History Non-Buildable kernel-5.14.0-427.33.1.el9_4 commit-author Aleksandr Mishin <amishin@t-argos.ru> commit 2b3460c In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba8 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 2b3460c) Signed-off-by: Jonathan Maple <jmaple@ciq.com>
diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c
@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,
 	if (hash_iv_len) {
 		packet_log("  Hash IV Length %u bytes\n", hash_iv_len);
 		packet_dump("  hash IV: ", ptr, hash_iv_len);
-		ptr += ciph_key_len;
+		ptr += hash_iv_len;
 	}
 
 	if (ciph_iv_len) {

Original file line number	Diff line number	Diff line change
`@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,`
`495`	`495`	`if (hash_iv_len) {`
`496`	`496`	`packet_log(" Hash IV Length %u bytes\n", hash_iv_len);`
`497`	`497`	`packet_dump(" hash IV: ", ptr, hash_iv_len);`
`498`		`- ptr += ciph_key_len;`
	`498`	`+ ptr += hash_iv_len;`
`499`	`499`	`}`
`500`	`500`
`501`	`501`	`if (ciph_iv_len) {`