On Mon, Jan 18, 2016 at 11:46 AM, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jan 15, 2016 at 07:22:04PM +0100, Dmitry Vyukov wrote: >> Hello, >> >> The following program causes slab-out-of-bounds in skcipher_recvmsg: > > Thanks for the report. This patch should fix it. Fixes the issue for me. Thanks! Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > ---8<--- > Subject: crypto: algif_skcipher - Load TX SG list after waiting > > We need to load the TX SG list in sendmsg(2) after waiting for > incoming data, not before. > > Cc: stable@xxxxxxxxxxxxxxx > Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > > diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c > index dfff8b0..df86fb4 100644 > --- a/crypto/algif_skcipher.c > +++ b/crypto/algif_skcipher.c > @@ -647,13 +647,6 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg, > > lock_sock(sk); > while (msg_data_left(msg)) { > - sgl = list_first_entry(&ctx->tsgl, > - struct skcipher_sg_list, list); > - sg = sgl->sg; > - > - while (!sg->length) > - sg++; > - > if (!ctx->used) { > err = skcipher_wait_for_data(sk, flags); > if (err) > @@ -674,6 +667,13 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg, > if (!used) > goto free; > > + sgl = list_first_entry(&ctx->tsgl, > + struct skcipher_sg_list, list); > + sg = sgl->sg; > + > + while (!sg->length) > + sg++; > + > skcipher_request_set_crypt(&ctx->req, sg, ctx->rsgl.sg, used, > ctx->iv); > > -- > Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Home Page: http://gondor.apana.org.au/~herbert/ > PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html