Message ID | 20200526031956.1897-2-longpeng2@huawei.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Herbert Xu |
Headers | show |
Series | crypto: virtio: Fix two crash issue | expand |
> Fix it by sg_next() on calculation of src/dst scatterlist. Wording adjustment: … by calling the function “sg_next” … … > +++ b/drivers/crypto/virtio/virtio_crypto_algs.c > @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, … > src_nents = sg_nents_for_len(req->src, req->cryptlen); > + if (src_nents < 0) { > + pr_err("Invalid number of src SG.\n"); > + return src_nents; > + } > + > dst_nents = sg_nents(req->dst); … I suggest to move the addition of such input parameter validation to a separate update step. Regards, Markus
Hi Markus, On 2020/5/26 15:03, Markus Elfring wrote: >> Fix it by sg_next() on calculation of src/dst scatterlist. > > Wording adjustment: > … by calling the function “sg_next” … > OK, thanks. > > … >> +++ b/drivers/crypto/virtio/virtio_crypto_algs.c >> @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, > … >> src_nents = sg_nents_for_len(req->src, req->cryptlen); >> + if (src_nents < 0) { >> + pr_err("Invalid number of src SG.\n"); >> + return src_nents; >> + } >> + >> dst_nents = sg_nents(req->dst); > … > > I suggest to move the addition of such input parameter validation > to a separate update step. > Um...The 'src_nents' will be used as a loop condition, so validate it here is needed ? ''' /* Source data */ - for (i = 0; i < src_nents; i++) - sgs[num_out++] = &req->src[i]; + for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--) + sgs[num_out++] = sg; ''' > Regards, > Markus >
>> I suggest to move the addition of such input parameter validation >> to a separate update step. >> > Um...The 'src_nents' will be used as a loop condition, > so validate it here is needed ? Would you prefer to add such checking as the first update in another small patch series? Regards, Markus
<20200123101000.GB24255@Red> References: <20200526031956.1897-2-longpeng2@huawei.com> <20200123101000.GB24255@Red> Hi [This is an automated email] This commit has been processed because it contains a "Fixes:" tag fixing commit: dbaf0624ffa5 ("crypto: add virtio-crypto driver"). The bot has tested the following trees: v5.6.14, v5.4.42, v4.19.124, v4.14.181. v5.6.14: Build OK! v5.4.42: Failed to apply! Possible dependencies: eee1d6fca0a0 ("crypto: virtio - switch to skcipher API") v4.19.124: Failed to apply! Possible dependencies: eee1d6fca0a0 ("crypto: virtio - switch to skcipher API") v4.14.181: Failed to apply! Possible dependencies: 500e6807ce93 ("crypto: virtio - implement missing support for output IVs") 67189375bb3a ("crypto: virtio - convert to new crypto engine API") d0d859bb87ac ("crypto: virtio - Register an algo only if it's supported") e02b8b43f55a ("crypto: virtio - pr_err() strings should end with newlines") eee1d6fca0a0 ("crypto: virtio - switch to skcipher API") NOTE: The patch will not be queued to stable trees until it is upstream. How should we proceed with this patch?
diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c index fd045e64972a..5f8243563009 100644 --- a/drivers/crypto/virtio/virtio_crypto_algs.c +++ b/drivers/crypto/virtio/virtio_crypto_algs.c @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, int err; unsigned long flags; struct scatterlist outhdr, iv_sg, status_sg, **sgs; - int i; u64 dst_len; unsigned int num_out = 0, num_in = 0; int sg_total; uint8_t *iv; + struct scatterlist *sg; src_nents = sg_nents_for_len(req->src, req->cryptlen); + if (src_nents < 0) { + pr_err("Invalid number of src SG.\n"); + return src_nents; + } + dst_nents = sg_nents(req->dst); pr_debug("virtio_crypto: Number of sgs (src_nents: %d, dst_nents: %d)\n", @@ -442,12 +447,12 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, vc_sym_req->iv = iv; /* Source data */ - for (i = 0; i < src_nents; i++) - sgs[num_out++] = &req->src[i]; + for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--) + sgs[num_out++] = sg; /* Destination data */ - for (i = 0; i < dst_nents; i++) - sgs[num_out + num_in++] = &req->dst[i]; + for (sg = req->dst; sg; sg = sg_next(sg)) + sgs[num_out + num_in++] = sg; /* Status */ sg_init_one(&status_sg, &vc_req->status, sizeof(vc_req->status));