[PATCH] crypto/qat: fix stack buffer overflow in SGL loop
Ciara Power
ciara.power at intel.com
Fri Apr 14 14:31:31 CEST 2023
The cvec pointer was incremented incorrectly in the case where the
length of remaining_off equals cvec len, and there is no next cvec.
This led to cvec->iova being invalid memory to access.
Instead, only increment the cvec pointer when we know there is a next
cvec to point to, by checking the i value, which represents the number
of cvecs available.
If i is 0, then no need to increment as the current cvec is the last one.
Fixes: a815a04cea05 ("crypto/qat: support symmetric build op request")
Cc: kai.ji at intel.com
Cc: stable at dpdk.org
Signed-off-by: Ciara Power <ciara.power at intel.com>
---
drivers/crypto/qat/dev/qat_crypto_pmd_gens.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
index 524c291340..092265631b 100644
--- a/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
+++ b/drivers/crypto/qat/dev/qat_crypto_pmd_gens.h
@@ -682,7 +682,8 @@ enqueue_one_chain_job_gen1(struct qat_sym_session *ctx,
while (remaining_off >= cvec->len && i >= 1) {
i--;
remaining_off -= cvec->len;
- cvec++;
+ if (i)
+ cvec++;
}
auth_iova_end = cvec->iova + remaining_off;
--
2.25.1
More information about the stable
mailing list