Re: crypto: slab-out-of-bounds in skcipher_recvmsg

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 18, 2016 at 11:46 AM, Herbert Xu
<herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> On Fri, Jan 15, 2016 at 07:22:04PM +0100, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program causes slab-out-of-bounds in skcipher_recvmsg:
>
> Thanks for the report.  This patch should fix it.


Fixes the issue for me. Thanks!

Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>


> ---8<---
> Subject: crypto: algif_skcipher - Load TX SG list after waiting
>
> We need to load the TX SG list in sendmsg(2) after waiting for
> incoming data, not before.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>
> diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
> index dfff8b0..df86fb4 100644
> --- a/crypto/algif_skcipher.c
> +++ b/crypto/algif_skcipher.c
> @@ -647,13 +647,6 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg,
>
>         lock_sock(sk);
>         while (msg_data_left(msg)) {
> -               sgl = list_first_entry(&ctx->tsgl,
> -                                      struct skcipher_sg_list, list);
> -               sg = sgl->sg;
> -
> -               while (!sg->length)
> -                       sg++;
> -
>                 if (!ctx->used) {
>                         err = skcipher_wait_for_data(sk, flags);
>                         if (err)
> @@ -674,6 +667,13 @@ static int skcipher_recvmsg_sync(struct socket *sock, struct msghdr *msg,
>                 if (!used)
>                         goto free;
>
> +               sgl = list_first_entry(&ctx->tsgl,
> +                                      struct skcipher_sg_list, list);
> +               sg = sgl->sg;
> +
> +               while (!sg->length)
> +                       sg++;
> +
>                 skcipher_request_set_crypt(&ctx->req, sg, ctx->rsgl.sg, used,
>                                            ctx->iv);
>
> --
> Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Home Page: http://gondor.apana.org.au/~herbert/
> PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux