Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933351AbdIXUmy (ORCPT ); Sun, 24 Sep 2017 16:42:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60862 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932432AbdIXUmw (ORCPT ); Sun, 24 Sep 2017 16:42:52 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, linux-crypto@vger.kernel.org, Stephan Mueller , Herbert Xu Subject: [PATCH 4.13 034/109] [PATCH - RESEND] crypto: AF_ALG - remove SGL terminator indicator when chaining Date: Sun, 24 Sep 2017 22:32:55 +0200 Message-Id: <20170924203354.455841357@linuxfoundation.org> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20170924203353.104695385@linuxfoundation.org> References: <20170924203353.104695385@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1898 Lines: 48 4.13-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephan Mueller Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code") The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the chaining and is properly updated with the sg_chain invocation. During the filling-in of the initial SG entries, sg_mark_end is called for each SG entry. This is appropriate as long as no additional SGL is chained with the current SGL. However, when a new SGL is chained and the last SG entry is updated with sg_chain, the last but one entry still contains the end marker from the sg_mark_end. This end marker must be removed as otherwise a walk of the chained SGLs will cause a NULL pointer dereference at the last but one SG entry, because sg_next will return NULL. The patch only applies to all kernels up to and including 4.13. The patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1 introduced a complete new code base which addresses this bug in a different way. Yet, that patch is too invasive for stable kernels and was therefore not marked for stable. Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for skcipher operations") Signed-off-by: Stephan Mueller Acked-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/algif_skcipher.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -144,8 +144,10 @@ static int skcipher_alloc_sgl(struct soc sg_init_table(sgl->sg, MAX_SGL_ENTS + 1); sgl->cur = 0; - if (sg) + if (sg) { sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg); + sg_unmark_end(sg + (MAX_SGL_ENTS - 1)); + } list_add_tail(&sgl->list, &ctx->tsgl); }