Commit 1aaae055 authored by Adam Guerin's avatar Adam Guerin Committed by Herbert Xu

crypto: qat - fix potential spectre issue

Sanitize ring_num value coming from configuration (and potentially
from user space) before it is used as index in the banks array.

This issue was detected by smatch:

    drivers/crypto/qat/qat_common/adf_transport.c:233 adf_create_ring() warn: potential spectre issue 'bank->rings' [r] (local cap)
Signed-off-by: default avatarAdam Guerin <adam.guerin@intel.com>
Reviewed-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 0db0d797
// SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only) // SPDX-License-Identifier: (BSD-3-Clause OR GPL-2.0-only)
/* Copyright(c) 2014 - 2020 Intel Corporation */ /* Copyright(c) 2014 - 2020 Intel Corporation */
#include <linux/delay.h> #include <linux/delay.h>
#include <linux/nospec.h>
#include "adf_accel_devices.h" #include "adf_accel_devices.h"
#include "adf_transport_internal.h" #include "adf_transport_internal.h"
#include "adf_transport_access_macros.h" #include "adf_transport_access_macros.h"
...@@ -246,6 +247,7 @@ int adf_create_ring(struct adf_accel_dev *accel_dev, const char *section, ...@@ -246,6 +247,7 @@ int adf_create_ring(struct adf_accel_dev *accel_dev, const char *section,
return -EFAULT; return -EFAULT;
} }
ring_num = array_index_nospec(ring_num, num_rings_per_bank);
bank = &transport_data->banks[bank_num]; bank = &transport_data->banks[bank_num];
if (adf_reserve_ring(bank, ring_num)) { if (adf_reserve_ring(bank, ring_num)) {
dev_err(&GET_DEV(accel_dev), "Ring %d, %s already exists.\n", dev_err(&GET_DEV(accel_dev), "Ring %d, %s already exists.\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment