From patchwork Fri Oct 9 10:29:44 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Russell King X-Patchwork-Id: 7360661 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 0DCC7BEEA4 for ; Fri, 9 Oct 2015 10:29:53 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 3CEDD20854 for ; Fri, 9 Oct 2015 10:29:52 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4905120501 for ; Fri, 9 Oct 2015 10:29:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965499AbbJIK3u (ORCPT ); Fri, 9 Oct 2015 06:29:50 -0400 Received: from pandora.arm.linux.org.uk ([78.32.30.218]:50052 "EHLO pandora.arm.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965448AbbJIK3u (ORCPT ); Fri, 9 Oct 2015 06:29:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=arm.linux.org.uk; s=pandora-2014; h=Date:Sender:Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Subject:Cc:To:From:References:In-Reply-To; bh=MtKHmMdNfUoPn/7cPrD9kQXz1MGyswN1owc7J46oeYw=; b=IRp2//7DBt++RHCJQPP32ZM3BqsCSH1ZyhfMUpfYFp/JbYY+5BL3DeXaeVawe+lEnZeikq6Vo51Hvms+FNDPLAfRoBXk0DBT5vx7f7E1rGuLzrXQGLkGOk2JbECHAhIWYvuhjSHVRm3nXjNWCVwQgzhe32uVMiKtdzJXlB5aTjY=; Received: from e0022681537dd.dyn.arm.linux.org.uk ([2002:4e20:1eda:1:222:68ff:fe15:37dd]:54907 helo=rmk-PC.arm.linux.org.uk) by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ZkUvp-0004mS-Qm; Fri, 09 Oct 2015 11:29:45 +0100 Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1ZkUvo-0004QO-U8; Fri, 09 Oct 2015 11:29:44 +0100 In-Reply-To: <20151009102904.GL32532@n2100.arm.linux.org.uk> References: <20151009102904.GL32532@n2100.arm.linux.org.uk> From: Russell King To: Thomas Petazzoni Cc: "David S. Miller" , Herbert Xu , linux-crypto@vger.kernel.org Subject: [PATCH 1/3] crypto: ensure algif_hash does not pass a zero-sized state MIME-Version: 1.0 Content-Disposition: inline Message-Id: Date: Fri, 09 Oct 2015 11:29:44 +0100 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If the algorithm passed a zero statesize, do not pass a valid pointer into the export/import functions. Passing a valid pointer covers up bugs in driver code which then go on to smash the kernel stack. Instead, pass NULL, which will cause any attempt to write to the pointer to fail. Signed-off-by: Russell King --- crypto/algif_hash.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c index 1396ad0787fc..f450584cb940 100644 --- a/crypto/algif_hash.c +++ b/crypto/algif_hash.c @@ -177,12 +177,16 @@ static int hash_accept(struct socket *sock, struct socket *newsock, int flags) struct alg_sock *ask = alg_sk(sk); struct hash_ctx *ctx = ask->private; struct ahash_request *req = &ctx->req; - char state[crypto_ahash_statesize(crypto_ahash_reqtfm(req))]; + struct crypto_ahash *ahash = crypto_ahash_reqtfm(req); + unsigned int state_size = crypto_ahash_statesize(ahash); + char state_buf[state_size], *state; struct sock *sk2; struct alg_sock *ask2; struct hash_ctx *ctx2; int err; + state = state_size ? state_buf : NULL; + err = crypto_ahash_export(req, state); if (err) return err;