[PATCH 1/2] crypto/ionic: fix buffer overrun when writing session

[PATCH 1/2] crypto/ionic: fix buffer overrun when writing session

[Andrew Boyer]

Coverity pointed out that, if the final segment of the session key being
written is not a full segment, the loop could potentially read past the
end of the source buffer. Use RTE_MIN() to make sure to only copy as much
of the key as is left.

Coverity issue: 426432
Fixes: 6bc7f2cf6687 ("crypto/ionic: support sessions")

Signed-off-by: Andrew Boyer <andrew.boyer@amd.com>
---
 drivers/crypto/ionic/ionic_crypto_main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/ionic/ionic_crypto_main.c b/drivers/crypto/ionic/ionic_crypto_main.c
index d4810e3617..9960dc3a6d 100644
--- a/drivers/crypto/ionic/ionic_crypto_main.c
+++ b/drivers/crypto/ionic/ionic_crypto_main.c
@@ -193,7 +193,7 @@ iocpt_session_write(struct iocpt_session_priv *priv,
 	};
 	struct iocpt_sess_control_cmd *cmd = &ctx.cmd.sess_control;
 	uint16_t key_offset;
-	uint8_t key_segs, seg;
+	uint8_t key_segs, seg, seg_len;
 	int err;
 
 	key_segs = ((priv->key_len - 1) >> IOCPT_SESS_KEY_SEG_SHFT) + 1;
@@ -202,8 +202,9 @@ iocpt_session_write(struct iocpt_session_priv *priv,
 		ctx.pending_work = true;
 
 		key_offset = seg * cmd->key_seg_len;
-		memcpy(cmd->key, &priv->key[key_offset],
-			IOCPT_SESS_KEY_SEG_LEN);
+		seg_len = (uint8_t)RTE_MIN(priv->key_len - key_offset,
+					IOCPT_SESS_KEY_SEG_LEN);
+		memcpy(cmd->key, &priv->key[key_offset], seg_len);
 		cmd->key_seg_idx = seg;
 
 		/* Mark final segment */
-- 
2.17.1

[PATCH 2/2] crypto/ionic: fix sign extension in queue allocation

[Andrew Boyer]

(uint16_t * uint16_t) promoted to uint64_t has a sign extension
problem reported by Coverity. Cast one arg to uint64_t first
to eliminate the sign extension.

Coverity issue: 426422
Coverity issue: 426427
Fixes: 2c1662bb53ca ("crypto/ionic: add adminq command")

Signed-off-by: Andrew Boyer <andrew.boyer@amd.com>
---
 drivers/crypto/ionic/ionic_crypto_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/ionic/ionic_crypto_main.c b/drivers/crypto/ionic/ionic_crypto_main.c
index 9960dc3a6d..f670d6e658 100644
--- a/drivers/crypto/ionic/ionic_crypto_main.c
+++ b/drivers/crypto/ionic/ionic_crypto_main.c
@@ -88,7 +88,7 @@ iocpt_q_init(struct iocpt_queue *q, uint8_t type, uint32_t index,
 	q->tail_idx = 0;
 
 	q->info = rte_calloc_socket("iocpt",
-				num_descs * num_segs, sizeof(void *),
+				(uint64_t)num_descs * num_segs, sizeof(void *),
 				rte_mem_page_size(), socket_id);
 	if (q->info == NULL) {
 		IOCPT_PRINT(ERR, "Cannot allocate queue info");
-- 
2.17.1

RE: [EXTERNAL] [PATCH 1/2] crypto/ionic: fix buffer overrun when writing session

[Akhil Goyal]

> Coverity pointed out that, if the final segment of the session key being
> written is not a full segment, the loop could potentially read past the
> end of the source buffer. Use RTE_MIN() to make sure to only copy as much
> of the key as is left.
> 
> Coverity issue: 426432
> Fixes: 6bc7f2cf6687 ("crypto/ionic: support sessions")
> 
> Signed-off-by: Andrew Boyer <andrew.boyer@amd.com>
Series applied to dpdk-next-crypto
Thanks.