fix(nxp-crypto): fix coverity issue
In function "desc_length", LSB byte of the first word of the
descriptor will be anded with 0x7F, to get the number of words
constructing the descriptor.
LSB byte of the first word of the descriptor is auto-incremented
with each add_word used while constructing the descriptor.
But if function "desc_add_word" is called more than
MAX_DESC_SIZE_WORDS times, then only the function "desc_length",
can return number of words greater than MAX_DESC_SIZE_WORDS.
This is the condition when core can overwrite the out of bound
memory.
Hence, the following fix is needed:
- Before adding any new word to the descriptor, a check for
max word length needs to be added, into these functions:
"desc_add_word" & "desc_add_ptr".
Signed-off-by: Pankaj Gupta <pankaj.gupta@nxp.com>
Signed-off-by: Jiafei Pan <Jiafei.Pan@nxp.com>
Change-Id: If896cd2e02ecde72fb09c5147119dec4f2f84bc3
diff --git a/drivers/nxp/crypto/caam/src/jobdesc.c b/drivers/nxp/crypto/caam/src/jobdesc.c
index f559c4b..fb470ba 100644
--- a/drivers/nxp/crypto/caam/src/jobdesc.c
+++ b/drivers/nxp/crypto/caam/src/jobdesc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2017-2020 NXP
+ * Copyright 2017-2022 NXP
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -41,6 +41,8 @@
{
uint32_t len = desc_length(desc);
+ assert((len + 1) < MAX_DESC_SIZE_WORDS);
+
/* Add Word at Last */
uint32_t *last = desc + len;
*last = word;
@@ -54,6 +56,9 @@
{
uint32_t len = desc_length(desc);
+ assert((len + (uint32_t) (sizeof(phys_addr_t) / sizeof(uint32_t)))
+ < MAX_DESC_SIZE_WORDS);
+
/* Add Word at Last */
phys_addr_t *last = (phys_addr_t *) (desc + len);