crypto: cavium - prevent integer overflow loading firmware

[ Upstream commit 5f1cdfe7723b6139e469e47a4f69020e387e061c ]

The "code_length" value comes from the firmware file.  If your firmware
is untrusted realistically there is probably very little you can do to
protect yourself.  Still we try to limit the damage as much as possible.
Also Smatch marks any data read from the filesystem as untrusted and
prints warnings if it not capped correctly.

The "ntohl(ucode->code_length) * 2" multiplication can have an
integer overflow.

Fixes: b4451ad6d9e1 ("crypto: cavium - Add Support for Octeon-tx CPT Engine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/crypto/cavium/cpt/cptpf_main.c b/drivers/crypto/cavium/cpt/cptpf_main.c
index 7819490274512635a9c0323fc3dc6229c3d39c72..d9362199423f2d0b77ef181d0a983c1532373c66 100644 (file)
--- a/drivers/crypto/cavium/cpt/cptpf_main.c
+++ b/drivers/crypto/cavium/cpt/cptpf_main.c
@@ -254,6 +254,7 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
        const struct firmware *fw_entry;
        struct device *dev = &cpt->pdev->dev;
        struct ucode_header *ucode;
+       unsigned int code_length;
        struct microcode *mcode;
        int j, ret = 0;
 
@@ -264,11 +265,12 @@ static int cpt_ucode_load_fw(struct cpt_device *cpt, const u8 *fw, bool is_ae)
        ucode = (struct ucode_header *)fw_entry->data;
        mcode = &cpt->mcode[cpt->next_mc_idx];
        memcpy(mcode->version, (u8 *)fw_entry->data, CPT_UCODE_VERSION_SZ);
-       mcode->code_size = ntohl(ucode->code_length) * 2;
-       if (!mcode->code_size) {
+       code_length = ntohl(ucode->code_length);
+       if (code_length == 0 || code_length >= INT_MAX / 2) {
                ret = -EINVAL;
                goto fw_release;
        }
+       mcode->code_size = code_length * 2;
 
        mcode->is_ae = is_ae;
        mcode->core_mask = 0ULL;