From patchwork Sun Sep 24 06:25:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephan Mueller X-Patchwork-Id: 9967747 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0CE486020C for ; Sun, 24 Sep 2017 06:26:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F2D1128F44 for ; Sun, 24 Sep 2017 06:26:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E7C0028F5F; Sun, 24 Sep 2017 06:26:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CFC0028F5B for ; Sun, 24 Sep 2017 06:26:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751276AbdIXGZt (ORCPT ); Sun, 24 Sep 2017 02:25:49 -0400 Received: from mail.eperm.de ([89.247.134.16]:34928 "EHLO mail.eperm.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751059AbdIXGZs (ORCPT ); Sun, 24 Sep 2017 02:25:48 -0400 Received: from positron.chronox.de (unknown [88.128.80.42]) by mail.eperm.de (Postfix) with ESMTPA id 828821816074; Sun, 24 Sep 2017 08:25:46 +0200 (CEST) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: herbert@gondor.apana.org.au Cc: linux-crypto@vger.kernel.org Subject: [PATCH 2/2] crypto: shash - no kmap of zero SG Date: Sun, 24 Sep 2017 08:25:17 +0200 Message-ID: <25135634.rNEetDmbAf@positron.chronox.de> In-Reply-To: <3874163.dZU00zCVt8@positron.chronox.de> References: <3874163.dZU00zCVt8@positron.chronox.de> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP In case the caller provides an SG with zero data, prevent a kmap of the page pointed to by the SG. In this case, it is possible that the page does not exist. This fixes a crash in authenc() when the plaintext is zero and thus the encryption operation is a noop. In this case, no input data exists that can be hashed. The crash is triggerable via AF_ALG from unprivileged user space. Fixes: 3b2f6df08258e ("crypto: hash - Export shash through ahash") CC: Herbert Xu CC: Signed-off-by: Stephan Mueller --- crypto/shash.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/shash.c b/crypto/shash.c index 5e31c8d776df..32d0e1806bf4 100644 --- a/crypto/shash.c +++ b/crypto/shash.c @@ -278,9 +278,11 @@ int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc) struct scatterlist *sg = req->src; unsigned int offset = sg->offset; unsigned int nbytes = req->nbytes; + unsigned int process = min(sg->length, + ((unsigned int)(PAGE_SIZE)) - offset); int err; - if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) { + if (process && nbytes < process) { void *data; data = kmap_atomic(sg_page(sg));