Patch "crypto: scomp - fix req->dst buffer overflow" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 20 Jan 2024 20:48:07 -0500

This is a note to let you know that I've just added the patch titled

    crypto: scomp - fix req->dst buffer overflow

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     crypto-scomp-fix-req-dst-buffer-overflow.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1771569a824584bca01cd5015fa9b2b8199e088b
Author: Chengming Zhou <zhouchengming@xxxxxxxxxxxxx>
Date:   Wed Dec 27 09:35:23 2023 +0000

    crypto: scomp - fix req->dst buffer overflow
    
    [ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ]
    
    The req->dst buffer size should be checked before copying from the
    scomp_scratch->dst to avoid req->dst buffer overflow problem.
    
    Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface")
    Reported-by: syzbot+3eff5e51bf1db122a16e@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@xxxxxxxxxx/
    Signed-off-by: Chengming Zhou <zhouchengming@xxxxxxxxxxxxx>
    Reviewed-by: Barry Song <v-songbaohua@xxxxxxxx>
    Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/crypto/scompress.c b/crypto/scompress.c
index 4d50750d01c6..ec849790f728 100644
--- a/crypto/scompress.c
+++ b/crypto/scompress.c
@@ -124,6 +124,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
 	struct crypto_scomp *scomp = *tfm_ctx;
 	void **ctx = acomp_request_ctx(req);
 	struct scomp_scratch *scratch;
+	unsigned int dlen;
 	int ret;
 
 	if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE)
@@ -135,6 +136,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
 	if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE)
 		req->dlen = SCOMP_SCRATCH_SIZE;
 
+	dlen = req->dlen;
+
 	scratch = raw_cpu_ptr(&scomp_scratch);
 	spin_lock(&scratch->lock);
 
@@ -152,6 +155,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
 				ret = -ENOMEM;
 				goto out;
 			}
+		} else if (req->dlen > dlen) {
+			ret = -ENOSPC;
+			goto out;
 		}
 		scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen,
 					 1);







