tegra-cryptodev:check valid SHA message length

SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.

Fix by checking message length for SHA before
copying from user space

Bug 1883640

Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/drivers/misc/tegra-cryptodev.c b/drivers/misc/tegra-cryptodev.c
index 7d95fcc6f156..a5434b66cc30 100644
--- a/drivers/misc/tegra-cryptodev.c
+++ b/drivers/misc/tegra-cryptodev.c
@@ -3,7 +3,7 @@
  *
  * crypto dev node for NVIDIA tegra aes hardware
  *
- * Copyright (c) 2010-2014, NVIDIA Corporation. All Rights Reserved.
+ * Copyright (c) 2010-2017, NVIDIA Corporation. All Rights Reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -539,6 +539,11 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req)
 	unsigned long *xbuf[XBUFSIZE];
 	int ret = -ENOMEM;
 
+	if (sha_req->plaintext_sz > PAGE_SIZE) {
+		pr_err("alg:hash: invalid plaintext_sz for sha_req\n");
+		return -EINVAL;
+	}
+
 	tfm = crypto_alloc_ahash(sha_req->algo, 0, 0);
 	if (IS_ERR(tfm)) {
 		pr_err("alg:hash:Failed to load transform for %s:%ld\n",