qcrypto: protect potential integer overflow. Adding user passed parameters without check might lead to Integer overflow and unpredictable system behaviour. CVE-2016-10230 Change-Id: Iaf8259e3c4a157e1790f1447b1b62a646988b7c4 Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>

commit: 46bc2c341a3f24e0f97ed003380d4b8ace6fa1ba [log] [tgz]
author: Neeraj Soni <neersoni@codeaurora.org> Mon Nov 28 18:23:33 2016 +0530
committer: David C. Park <davidc.park@lge.com> Tue May 02 16:09:10 2017 -0700
tree: 204f3397093fc5a32561ff5605ce300754b541af
parent: 787338f1960c46357eb478c04a3bc04112444695 [diff]
diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
index 8e75dc4..1527198 100644
--- a/drivers/crypto/msm/qce50.c
+++ b/drivers/crypto/msm/qce50.c

@@ -4506,6 +4506,12 @@
 	else
 		q_req->cryptlen = areq->cryptlen - authsize;
 
+	if ((q_req->cryptlen > UINT_MAX - areq->assoclen) ||
+		(q_req->cryptlen + areq->assoclen > UINT_MAX - ivsize)) {
+			pr_err("Integer overflow on total aead req length.\n");
+			return -EINVAL;
+	}
+
 	totallen = q_req->cryptlen + areq->assoclen + ivsize;
 
 	if (pce_dev->support_cmd_dscr) {
commit	46bc2c341a3f24e0f97ed003380d4b8ace6fa1ba	[log] [tgz]
author	Neeraj Soni <neersoni@codeaurora.org>	Mon Nov 28 18:23:33 2016 +0530
committer	David C. Park <davidc.park@lge.com>	Tue May 02 16:09:10 2017 -0700
tree	204f3397093fc5a32561ff5605ce300754b541af
parent	787338f1960c46357eb478c04a3bc04112444695 [diff]