From patchwork Fri Oct  9 19:43:33 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Russell King <rmk+kernel@arm.linux.org.uk>
X-Patchwork-Id: 7363561
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
X-Original-To: patchwork-linux-crypto@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 53D44BEEA4
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri,  9 Oct 2015 19:43:44 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 7A37C2078D
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri,  9 Oct 2015 19:43:43 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 971D32078C
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri,  9 Oct 2015 19:43:42 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752839AbbJITnm (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Fri, 9 Oct 2015 15:43:42 -0400
Received: from pandora.arm.linux.org.uk ([78.32.30.218]:51390 "EHLO
	pandora.arm.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751892AbbJITnl (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Fri, 9 Oct 2015 15:43:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=arm.linux.org.uk; s=pandora-2014;
	h=Date:Sender:Message-Id:Content-Type:Content-Transfer-Encoding:MIME-Version:Subject:Cc:To:From:References:In-Reply-To;
	bh=w1sA0IG7xX97n8sHYCh+I4UZlk650iKDSZuY9fno8YI=;
	b=lYEs80XT5J8gsWgxr/L42h5jD9VtdFzsI1clhP+Z1dX9ueB11FntZPEyrU662fmR1Ic061CbAsmOuN4ZulgYax165Ni+4bCJcycEnZZUHxj7fs4i95ymFEoflBsDBz7GItoZC5on5Q5CmSOBIliQJR9zxOFxrEuc98nGSYHYRv4=;
Received: from e0022681537dd.dyn.arm.linux.org.uk
	([2001:4d48:ad52:3201:222:68ff:fe15:37dd]:38710
	helo=rmk-PC.arm.linux.org.uk)
	by pandora.arm.linux.org.uk with esmtpsa (TLSv1:AES128-SHA:128)
	(Exim 4.82_1-5b7a7c0-XX) (envelope-from <rmk@arm.linux.org.uk>)
	id 1ZkdZm-0008Rh-Dl; Fri, 09 Oct 2015 20:43:34 +0100
Received: from rmk by rmk-PC.arm.linux.org.uk with local (Exim
	4.82_1-5b7a7c0-XX) (envelope-from <rmk@arm.linux.org.uk>)
	id 1ZkdZl-0005IT-IU; Fri, 09 Oct 2015 20:43:33 +0100
In-Reply-To: <20151009194309.GA7401@n2100.arm.linux.org.uk>
References: <20151009194309.GA7401@n2100.arm.linux.org.uk>
From: Russell King <rmk+kernel@arm.linux.org.uk>
To: Boris Brezillon <boris.brezillon@free-electrons.com>,
	Arnaud Ebalard <arno@natisbad.org>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
	Jason Cooper <jason@lakedaemon.net>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>, linux-crypto@vger.kernel.org
Subject: [PATCH v3 1/5] crypto: ensure algif_hash does not pass a zero-sized
	state
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <E1ZkdZl-0005IT-IU@rmk-PC.arm.linux.org.uk>
Date: Fri, 09 Oct 2015 20:43:33 +0100
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID,T_RP_MATCHES_RCVD,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

If the algorithm passed a zero statesize, do not pass a valid pointer
into the export/import functions.  Passing a valid pointer covers up
bugs in driver code which then go on to smash the kernel stack.
Instead, pass NULL, which will cause any attempt to write to the
pointer to fail.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
---
 crypto/ahash.c | 3 ++-
 crypto/shash.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/ahash.c b/crypto/ahash.c
index 8acb886032ae..9c1dc8d6106a 100644
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
@@ -544,7 +544,8 @@ static int ahash_prepare_alg(struct ahash_alg *alg)
 	struct crypto_alg *base = &alg->halg.base;
 
 	if (alg->halg.digestsize > PAGE_SIZE / 8 ||
-	    alg->halg.statesize > PAGE_SIZE / 8)
+	    alg->halg.statesize > PAGE_SIZE / 8 ||
+	    alg->halg.statesize == 0)
 		return -EINVAL;
 
 	base->cra_type = &crypto_ahash_type;
diff --git a/crypto/shash.c b/crypto/shash.c
index ecb1e3d39bf0..ab3384b38542 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -585,7 +585,8 @@ static int shash_prepare_alg(struct shash_alg *alg)
 
 	if (alg->digestsize > PAGE_SIZE / 8 ||
 	    alg->descsize > PAGE_SIZE / 8 ||
-	    alg->statesize > PAGE_SIZE / 8)
+	    alg->statesize > PAGE_SIZE / 8 ||
+	    alg->statesize == 0)
 		return -EINVAL;
 
 	base->cra_type = &crypto_shash_type;