| Message ID | 3547426.Fep2bfj8cH@positron.chronox.de (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
On Thu, Dec 01, 2016 at 08:22:37AM +0100, Stephan Mueller wrote: > Hi Herbert, > > I split out the bug fix patch from the AD/tag formatting patch as they most likely will come after the next merge window. > > ---8<--- > > Handle the case when the caller provided a zero buffer to > sendmsg/sendpage. Such scenario is legal for AEAD ciphers when no > plaintext / ciphertext and no AAD is provided and the caller only > requests the generation of the tag value. > > Signed-off-by: Stephan Mueller <smueller@chronox.de> Patch applied. Thanks.
Am Donnerstag, 1. Dezember 2016, 21:22:07 CET schrieb Herbert Xu: Hi Herbert, > On Thu, Dec 01, 2016 at 08:22:37AM +0100, Stephan Mueller wrote: > > Hi Herbert, > > > > I split out the bug fix patch from the AD/tag formatting patch as they > > most likely will come after the next merge window. > > > > ---8<--- > > > > Handle the case when the caller provided a zero buffer to > > sendmsg/sendpage. Such scenario is legal for AEAD ciphers when no > > plaintext / ciphertext and no AAD is provided and the caller only > > requests the generation of the tag value. > > > > Signed-off-by: Stephan Mueller <smueller@chronox.de> > > Patch applied. Thanks. May I suggest to forward that patch to stable as this patch fixes a kernel crasher that can be triggered by an unprivileged user? The bug was introduced in 4.7 with the AEAD AIO addition. Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index 80a0f1a..6e95137 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -448,12 +448,13 @@ static int aead_recvmsg_async(struct socket *sock, struct msghdr *msg, used -= ctx->aead_assoclen + (ctx->enc ? as : 0); /* take over all tx sgls from ctx */ - areq->tsgl = sock_kmalloc(sk, sizeof(*areq->tsgl) * sgl->cur, + areq->tsgl = sock_kmalloc(sk, + sizeof(*areq->tsgl) * max_t(u32, sgl->cur, 1), GFP_KERNEL); if (unlikely(!areq->tsgl)) goto free; - sg_init_table(areq->tsgl, sgl->cur); + sg_init_table(areq->tsgl, max_t(u32, sgl->cur, 1)); for (i = 0; i < sgl->cur; i++) sg_set_page(&areq->tsgl[i], sg_page(&sgl->sg[i]), sgl->sg[i].length, sgl->sg[i].offset);
Hi Herbert, I split out the bug fix patch from the AD/tag formatting patch as they most likely will come after the next merge window. ---8<--- Handle the case when the caller provided a zero buffer to sendmsg/sendpage. Such scenario is legal for AEAD ciphers when no plaintext / ciphertext and no AAD is provided and the caller only requests the generation of the tag value. Signed-off-by: Stephan Mueller <smueller@chronox.de> --- crypto/algif_aead.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)