crypto: bcm - Fix pointer arithmetic

[ Upstream commit 2b3460cbf454c6b03d7429e9ffc4fe09322eb1a9 ] In spu2_dump_omd() value of ptr is increased by ciph_key_len instead of hash_iv_len which could lead to going beyond the buffer boundaries. Fix this bug by changing ciph_key_len to hash_iv_len. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: Aleksandr Mishin <amishin@t-argos.ru> 2024-03-22 23:59:15 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2024-06-12 12:11:31 +0300
commit: d0f14ae223c2421b334c1f1a9e48f1e809aee3a0 (patch)
tree: 5e1899e0760202b783b965151b6dc4062e4c1ba0
parent: d142957377c291478524269495929cb1e31920ba (diff)
download: linux-d0f14ae223c2421b334c1f1a9e48f1e809aee3a0.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/crypto/bcm/spu2.c b/drivers/crypto/bcm/spu2.c
index 07989bb8c220..3fdc64b5a65e 100644
--- a/drivers/crypto/bcm/spu2.c
+++ b/drivers/crypto/bcm/spu2.c
@@ -495,7 +495,7 @@ static void spu2_dump_omd(u8 *omd, u16 hash_key_len, u16 ciph_key_len,
 	if (hash_iv_len) {
 		packet_log("  Hash IV Length %u bytes\n", hash_iv_len);
 		packet_dump("  hash IV: ", ptr, hash_iv_len);
-		ptr += ciph_key_len;
+		ptr += hash_iv_len;
 	}
 
 	if (ciph_iv_len) {
author	Aleksandr Mishin <amishin@t-argos.ru>	2024-03-22 23:59:15 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2024-06-12 12:11:31 +0300
commit	d0f14ae223c2421b334c1f1a9e48f1e809aee3a0 (patch)
tree	5e1899e0760202b783b965151b6dc4062e4c1ba0
parent	d142957377c291478524269495929cb1e31920ba (diff)
download	linux-d0f14ae223c2421b334c1f1a9e48f1e809aee3a0.tar.xz