CVE-2023-54325

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: qat - fix out-of-bounds read<br /> <br /> When preparing an AER-CTR request, the driver copies the key provided by<br /> the user into a data structure that is accessible by the firmware.<br /> If the target device is QAT GEN4, the key size is rounded up by 16 since<br /> a rounded up size is expected by the device.<br /> If the key size is rounded up before the copy, the size used for copying<br /> the key might be bigger than the size of the region containing the key,<br /> causing an out-of-bounds read.<br /> <br /> Fix by doing the copy first and then update the keylen.<br /> <br /> This is to fix the following warning reported by KASAN:<br /> <br /> [ 138.150574] BUG: KASAN: global-out-of-bounds in qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]<br /> [ 138.150641] Read of size 32 at addr ffffffff88c402c0 by task cryptomgr_test/2340<br /> <br /> [ 138.150651] CPU: 15 PID: 2340 Comm: cryptomgr_test Not tainted 6.2.0-rc1+ #45<br /> [ 138.150659] Hardware name: Intel Corporation ArcherCity/ArcherCity, BIOS EGSDCRB1.86B.0087.D13.2208261706 08/26/2022<br /> [ 138.150663] Call Trace:<br /> [ 138.150668] <br /> [ 138.150922] kasan_check_range+0x13a/0x1c0<br /> [ 138.150931] memcpy+0x1f/0x60<br /> [ 138.150940] qat_alg_skcipher_init_com.isra.0+0x197/0x250 [intel_qat]<br /> [ 138.151006] qat_alg_skcipher_init_sessions+0xc1/0x240 [intel_qat]<br /> [ 138.151073] crypto_skcipher_setkey+0x82/0x160<br /> [ 138.151085] ? prepare_keybuf+0xa2/0xd0<br /> [ 138.151095] test_skcipher_vec_cfg+0x2b8/0x800