patch 'crypto/cnxk: fix out-of-bound access' has been queued to stable release 23.11.2

[Xueming Li]

Hi,

FYI, your patch has been queued to stable release 23.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 08/14/24. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging

This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=6034788bd6b026603f12aeafd566adf6bfc4d9ca

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 6034788bd6b026603f12aeafd566adf6bfc4d9ca Mon Sep 17 00:00:00 2001
From: Gowrishankar Muthukrishnan <gmuthukrishn at marvell.com>
Date: Sat, 15 Jun 2024 17:03:01 +0530
Subject: [PATCH] crypto/cnxk: fix out-of-bound access
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit 49ad3426882807bbeec22311bdb28fcab8c3ee13 ]

Fix out-of-bound issues reported by coverity scan.

Coverity issue: 403164, 403165, 403166, 403167, 403169, 403170, 403171,
                403172, 403173, 403174, 403176, 403178, 403179, 403180
Fixes: 5686b573e4bb ("crypto/cnxk: support SM2")
Fixes: badc0c6f6d6a ("cryptodev: set private and public keys in EC session")

Signed-off-by: Gowrishankar Muthukrishnan <gmuthukrishn at marvell.com>
---
 drivers/common/cnxk/roc_ae.h  | 16 +++++++++-------
 drivers/crypto/cnxk/cnxk_ae.h | 24 +++++++++++++++++++-----
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/drivers/common/cnxk/roc_ae.h b/drivers/common/cnxk/roc_ae.h
index a9a08d9fb9..7886b9d107 100644
--- a/drivers/common/cnxk/roc_ae.h
+++ b/drivers/common/cnxk/roc_ae.h
@@ -53,29 +53,31 @@ typedef enum {
 	ROC_AE_ERR_ECC_POINT_NOT_ON_CURVE = 0x11
 } roc_ae_error_code;
 
+#define ROC_AE_EC_DATA_MAX 66
+
 /* Prime and order fields of built-in elliptic curves */
 struct roc_ae_ec_group {
 	struct {
 		/* P521 maximum length */
-		uint8_t data[66];
+		uint8_t data[ROC_AE_EC_DATA_MAX];
 		unsigned int length;
 	} prime;
 
 	struct {
 		/* P521 maximum length */
-		uint8_t data[66];
+		uint8_t data[ROC_AE_EC_DATA_MAX];
 		unsigned int length;
 	} order;
 
 	struct {
 		/* P521 maximum length */
-		uint8_t data[66];
+		uint8_t data[ROC_AE_EC_DATA_MAX];
 		unsigned int length;
 	} consta;
 
 	struct {
 		/* P521 maximum length */
-		uint8_t data[66];
+		uint8_t data[ROC_AE_EC_DATA_MAX];
 		unsigned int length;
 	} constb;
 };
@@ -86,18 +88,18 @@ struct roc_ae_ec_ctx {
 
 	/* Private key */
 	struct {
-		uint8_t data[66];
+		uint8_t data[ROC_AE_EC_DATA_MAX];
 		unsigned int length;
 	} pkey;
 
 	/* Public key */
 	struct {
 		struct {
-			uint8_t data[66];
+			uint8_t data[ROC_AE_EC_DATA_MAX];
 			unsigned int length;
 		} x;
 		struct {
-			uint8_t data[66];
+			uint8_t data[ROC_AE_EC_DATA_MAX];
 			unsigned int length;
 		} y;
 	} q;
diff --git a/drivers/crypto/cnxk/cnxk_ae.h b/drivers/crypto/cnxk/cnxk_ae.h
index ea11e093bf..a843d6b5ef 100644
--- a/drivers/crypto/cnxk/cnxk_ae.h
+++ b/drivers/crypto/cnxk/cnxk_ae.h
@@ -205,16 +205,22 @@ cnxk_ae_fill_ec_params(struct cnxk_ae_sess *sess,
 		return 0;
 
 	ec->pkey.length = xform->ec.pkey.length;
-	if (xform->ec.pkey.length)
-		rte_memcpy(ec->pkey.data, xform->ec.pkey.data, xform->ec.pkey.length);
+	if (ec->pkey.length > ROC_AE_EC_DATA_MAX)
+		ec->pkey.length = ROC_AE_EC_DATA_MAX;
+	if (ec->pkey.length)
+		rte_memcpy(ec->pkey.data, xform->ec.pkey.data, ec->pkey.length);
 
 	ec->q.x.length = xform->ec.q.x.length;
-	if (xform->ec.q.x.length)
-		rte_memcpy(ec->q.x.data, xform->ec.q.x.data, xform->ec.q.x.length);
+	if (ec->q.x.length > ROC_AE_EC_DATA_MAX)
+		ec->q.x.length = ROC_AE_EC_DATA_MAX;
+	if (ec->q.x.length)
+		rte_memcpy(ec->q.x.data, xform->ec.q.x.data, ec->q.x.length);
 
 	ec->q.y.length = xform->ec.q.y.length;
+	if (ec->q.y.length > ROC_AE_EC_DATA_MAX)
+		ec->q.y.length = ROC_AE_EC_DATA_MAX;
 	if (xform->ec.q.y.length)
-		rte_memcpy(ec->q.y.data, xform->ec.q.y.data, xform->ec.q.y.length);
+		rte_memcpy(ec->q.y.data, xform->ec.q.y.data, ec->q.y.length);
 
 	return 0;
 }
@@ -735,7 +741,11 @@ cnxk_ae_sm2_sign_prep(struct rte_crypto_sm2_op_param *sm2,
 	uint8_t *dptr;
 
 	prime_len = ec_grp->prime.length;
+	if (prime_len > ROC_AE_EC_DATA_MAX)
+		prime_len = ROC_AE_EC_DATA_MAX;
 	order_len = ec_grp->order.length;
+	if (order_len > ROC_AE_EC_DATA_MAX)
+		order_len = ROC_AE_EC_DATA_MAX;
 
 	/* Truncate input length to curve prime length */
 	if (message_len > prime_len)
@@ -822,7 +832,11 @@ cnxk_ae_sm2_verify_prep(struct rte_crypto_sm2_op_param *sm2,
 	uint8_t *dptr;
 
 	prime_len = ec_grp->prime.length;
+	if (prime_len > ROC_AE_EC_DATA_MAX)
+		prime_len = ROC_AE_EC_DATA_MAX;
 	order_len = ec_grp->order.length;
+	if (order_len > ROC_AE_EC_DATA_MAX)
+		order_len = ROC_AE_EC_DATA_MAX;
 
 	/* Truncate input length to curve prime length */
 	if (message_len > prime_len)
-- 
2.34.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2024-08-12 20:44:03.150609149 +0800
+++ 0016-crypto-cnxk-fix-out-of-bound-access.patch	2024-08-12 20:44:01.905069257 +0800
@@ -1 +1 @@
-From 49ad3426882807bbeec22311bdb28fcab8c3ee13 Mon Sep 17 00:00:00 2001
+From 6034788bd6b026603f12aeafd566adf6bfc4d9ca Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit 49ad3426882807bbeec22311bdb28fcab8c3ee13 ]
@@ -12 +14,0 @@
-Cc: stable at dpdk.org