On Fri, Jul 20, 2018 at 07:42:01PM +0200, Stephan Müller wrote:
>
> @@ -1747,10 +1733,18 @@ static int drbg_kcapi_sym_ctr(struct drbg_state *drbg,
> u8 *outbuf, u32 outlen)
> {
> struct scatterlist *sg_in = &drbg->sg_in, *sg_out = &drbg->sg_out;
> + u32 scratchpad_use = min_t(u32, outlen, DRBG_OUTSCRATCHLEN);
> int ret;
>
> - sg_set_buf(sg_in, inbuf, inlen);
> - sg_set_buf(sg_out, drbg->outscratchpad, DRBG_OUTSCRATCHLEN);
> + if (inbuf) {
> + /* Use caller-provided input buffer */
> + sg_set_buf(sg_in, inbuf, inlen);
> + } else {
> + /* Use scratchpad for in-place operation */
> + inlen = scratchpad_use;
> + memset(drbg->outscratchpad, 0, scratchpad_use);
> + sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use);
> + }
What guarantees that inbuf isn't on the stack?
I think rather than doing this we need to fix the existing code
to copy inbuf onto the scratch pad and then do in-place operation
on that.
Cheers,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
