On Mon, Jan 18, 2016 at 11:46 AM, Herbert Xu
<herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Jan 15, 2016 at 07:22:04PM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program causes slab-out-of-bounds in skcipher_recvmsg:
>
> Thanks for the report. This patch should fix it.
Fixes the issue for me. Thanks!
Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> ---8<---
> Subject: crypto: algif_skcipher - Load TX SG list after waiting
>
> We need to load the TX SG list in sendmsg(2) after waiting for
> incoming data, not before.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index dfff8b0..df86fb4 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -647,13 +647,6 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg,
>
> lock_sock(sk);
> while (msg_data_left(msg)) {
> - sgl = list_first_entry(&ctx->tsgl,
> - struct skcipher_sg_list, list);
> - sg = sgl->sg;
> -
> - while (!sg->length)
> - sg++;
> -
> if (!ctx->used) {
> err = skcipher_wait_for_data(sk, flags);
> if (err)
> @@ -674,6 +667,13 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg,
> if (!used)
> goto free;
>
> + sgl = list_first_entry(&ctx->tsgl,
> + struct skcipher_sg_list, list);
> + sg = sgl->sg;
> +
> + while (!sg->length)
> + sg++;
> +
> skcipher_request_set_crypt(&ctx->req, sg, ctx->rsgl.sg, used,
> ctx->iv);
>
> --
> Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
