| Message ID | 20231227093523.2735484-1-chengming.zhou@linux.dev (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | [v2] crypto: scompress - fix req->dst buffer overflow | expand |
On Wed, Dec 27, 2023 at 5:35 PM <chengming.zhou@linux.dev> wrote: > > From: Chengming Zhou <zhouchengming@bytedance.com> > > The req->dst buffer size should be checked before copying from the > scomp_scratch->dst to avoid req->dst buffer overflow problem. > > Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") > Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ > Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com> > --- > v2: > - change error code to ENOSPC. Reviewed-by: Barry Song <v-songbaohua@oppo.com> > --- > crypto/scompress.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/crypto/scompress.c b/crypto/scompress.c > index 442a82c9de7d..b108a30a7600 100644 > --- a/crypto/scompress.c > +++ b/crypto/scompress.c > @@ -117,6 +117,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) > struct crypto_scomp *scomp = *tfm_ctx; > void **ctx = acomp_request_ctx(req); > struct scomp_scratch *scratch; > + unsigned int dlen; > int ret; > > if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) > @@ -128,6 +129,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) > if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) > req->dlen = SCOMP_SCRATCH_SIZE; > > + dlen = req->dlen; > + > scratch = raw_cpu_ptr(&scomp_scratch); > spin_lock(&scratch->lock); > > @@ -145,6 +148,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) > ret = -ENOMEM; > goto out; > } > + } else if (req->dlen > dlen) { > + ret = -ENOSPC; > + goto out; > } > scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, > 1); > -- > 2.40.1 >
On Wed, Dec 27, 2023 at 09:35:23AM +0000, chengming.zhou@linux.dev wrote: > From: Chengming Zhou <zhouchengming@bytedance.com> > > The req->dst buffer size should be checked before copying from the > scomp_scratch->dst to avoid req->dst buffer overflow problem. > > Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") > Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ > Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com> > --- > v2: > - change error code to ENOSPC. > --- > crypto/scompress.c | 6 ++++++ > 1 file changed, 6 insertions(+) Patch applied. Thanks.
diff --git a/crypto/scompress.c b/crypto/scompress.c index 442a82c9de7d..b108a30a7600 100644 --- a/crypto/scompress.c +++ b/crypto/scompress.c @@ -117,6 +117,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) struct crypto_scomp *scomp = *tfm_ctx; void **ctx = acomp_request_ctx(req); struct scomp_scratch *scratch; + unsigned int dlen; int ret; if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) @@ -128,6 +129,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) req->dlen = SCOMP_SCRATCH_SIZE; + dlen = req->dlen; + scratch = raw_cpu_ptr(&scomp_scratch); spin_lock(&scratch->lock); @@ -145,6 +148,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) ret = -ENOMEM; goto out; } + } else if (req->dlen > dlen) { + ret = -ENOSPC; + goto out; } scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, 1);