tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

crypto: starfive - Correctly handle return of sg_nents_for_len

The return value of sg_nents_for_len was assigned to an unsigned long
in starfive_hash_digest, causing negative error codes to be converted
to large positive integers.

Add error checking for sg_nents_for_len and return immediately on
failure to prevent potential buffer overflows.

Fixes: 7883d1b28a2b ("crypto: starfive - Add hash and HMAC support")
Signed-off-by: Haotian Zhang <vulab@iscas.ac.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

authored by

Haotian Zhang and committed by
Herbert Xu e9eb5203 76ce17f6

+5 -1
+5 -1
drivers/crypto/starfive/jh7110-hash.c
··· 325 325 struct starfive_cryp_ctx *ctx = crypto_ahash_ctx(tfm); 326 326 struct starfive_cryp_request_ctx *rctx = ahash_request_ctx(req); 327 327 struct starfive_cryp_dev *cryp = ctx->cryp; 328 + int sg_len; 328 329 329 330 memset(rctx, 0, sizeof(struct starfive_cryp_request_ctx)); 330 331 ··· 334 333 rctx->in_sg = req->src; 335 334 rctx->blksize = crypto_tfm_alg_blocksize(crypto_ahash_tfm(tfm)); 336 335 rctx->digsize = crypto_ahash_digestsize(tfm); 337 - rctx->in_sg_len = sg_nents_for_len(rctx->in_sg, rctx->total); 336 + sg_len = sg_nents_for_len(rctx->in_sg, rctx->total); 337 + if (sg_len < 0) 338 + return sg_len; 339 + rctx->in_sg_len = sg_len; 338 340 ctx->rctx = rctx; 339 341 340 342 return crypto_transfer_hash_request_to_engine(cryp->engine, req);