diff options
| author | Giovanni Cabiddu <giovanni.cabiddu@intel.com> | 2026-05-28 16:57:44 +0100 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2026-06-11 13:53:58 +0800 |
| commit | b3ac78756588059729b9195fcc9f4b37d54057a5 (patch) | |
| tree | 524f40437c588e32031d3ce23e86533f797961d8 /scripts/Makefile.thinlto | |
| parent | 79bbe453e5bfa6e1c6aa2e8329bfc8f152b81c9b (diff) | |
crypto: qat - validate RSA CRT component lengths
The generic RSA key parser (rsa_helper.c) bounds each CRT component (p,
q, dp, dq, qinv) by the modulus size n_sz, but qat_rsa_setkey_crt()
allocates half-size DMA buffers (key_sz / 2) and right-aligns each
component with:
memcpy(dst + half_key_sz - len, src, len)
When a CRT component is larger than half_key_sz the subtraction
underflows and memcpy writes past the DMA buffer, causing memory
corruption.
Add a len > half_key_sz check next to the existing !len check for each
of the five CRT components so the driver falls back to the non-CRT path
instead of writing out of bounds.
Fixes: 879f77e9071f ("crypto: qat - Add RSA CRT mode")
Cc: stable@vger.kernel.org
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
Reviewed-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
Tested-by: Laurent M Coquerel <laurent.m.coquerel@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'scripts/Makefile.thinlto')
0 files changed, 0 insertions, 0 deletions