If the algorithm passed a zero statesize, do not pass a valid pointer into the export/import functions. Passing a valid pointer covers up bugs in driver code which then go on to smash the kernel stack. Instead, pass NULL, which will cause any attempt to write to the pointer to fail. Signed-off-by: Russell King <rmk+kernel@xxxxxxxxxxxxxxxx> --- crypto/algif_hash.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 1396ad0787fc..f450584cb940 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -177,12 +177,16 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) struct alg_sock *ask = alg_sk(sk); struct hash_ctx *ctx = ask->private; struct ahash_request *req = &ctx->req; - char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req))]; + struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); + unsigned int state_size = crypto_ahash_statesize(ahash); + char state_buf[state_size], *state; struct sock *sk2; struct alg_sock *ask2; struct hash_ctx *ctx2; int err; + state = state_size ? state_buf : NULL; + err = crypto_ahash_export(req, state); if (err) return err; -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html