Received: by 10.223.176.5 with SMTP id f5csp968297wra;
        Fri, 2 Feb 2018 09:01:41 -0800 (PST)
X-Google-Smtp-Source: AH8x224fqd6HJRIBhGkuhSB6lnD2wIzAiNKvZLRyLgOz2ceB4jig6Fl/6C6196/rIlpgE6M0LAVi
X-Received: by 10.101.71.202 with SMTP id f10mr32786032pgs.208.1517590901708;
        Fri, 02 Feb 2018 09:01:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517590901; cv=none;
        d=google.com; s=arc-20160816;
        b=u53Pl03qo+UBQkOOmf9Eu1sdgPTYKAPjuuluwHduWt0xFG5KzYpjJTUn9DEBS1QBoq
         kh/qrKoOZ+eXAKKhDDQjI/6+ta0zMAy+8K/MzArrZIWrQHqL6TPv2uY6dS6DRVwtMfCm
         pfTLHaMpTbsjCG5HPjYyrWIVWI4AU4pwe84iN50tb20XfmiT6SNcRzoTTNATEmcPiq//
         ud8FXHTkPuE6eeW8eLouXEDS5M8Ts2hbNpHBiFkq9vhm8AkfPv7VgzMR6QVOpqgBO4Uf
         xmHm3W5xjdk70svA7UMyKNsmSi3IQ9QUfmkrb4uJULQuxIIvGehM+xTVLmKl2dw4n2vE
         PE+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=ESiklJ9Q3h/ofRNKDhUxScHp5j8yBlvTWjX6UBiJbAw=;
        b=DB7zcBoTY3U+Ewy6zW2lZ2VaE+io0Jmd0KZ0r/YKo2EpIOMvfCYl94EUGXHx6jATt/
         qyT183HYCSpDlJ8IEuWY8QE4HoD0e246ilwqhoJNu1lT1dT3b9O11z8c1PxouWHVtykQ
         ol1KrfuGKG9U1O4VjZK0Rqf1zEVMkoNyCEo/gFqMmXWqWrPM3aMECUuEihyS9E5aeyiE
         xlarBpxlgy+63bbZZ3lMDBINxXS+rOKlmaKnb7AjnZJx2AA1bWr5RLGe0wM11uuRSN/b
         tv+ATWDvLyI6S5ZHTA1+qxu15LVnui2sOwcSnMeyC36kW6Fu6c9NuOQ9kpBHBmQdBkb3
         v+Lw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w2si1308064pgm.215.2018.02.02.09.01.25;
        Fri, 02 Feb 2018 09:01:41 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752587AbeBBRAW (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 12:00:22 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:34530 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752000AbeBBQ7s (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 11:59:48 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7675EDEE;
        Fri,  2 Feb 2018 16:59:47 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephan Mueller <smueller@chronox.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.4 14/67] crypto: aesni - handle zero length dst buffer
Date:   Fri,  2 Feb 2018 17:57:43 +0100
Message-Id: <20180202140816.897155539@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180202140815.091718203@linuxfoundation.org>
References: <20180202140815.091718203@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream.

GCM can be invoked with a zero destination buffer. This is possible if
the AAD and the ciphertext have zero lengths and only the tag exists in
the source buffer (i.e. a source buffer cannot be zero). In this case,
the GCM cipher only performs the authentication and no decryption
operation.

When the destination buffer has zero length, it is possible that no page
is mapped to the SG pointing to the destination. In this case,
sg_page(req->dst) is an invalid access. Therefore, page accesses should
only be allowed if the req->dst->length is non-zero which is the
indicator that a page must exist.

This fixes a crash that can be triggered by user space via AF_ALG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/aesni-intel_glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -965,7 +965,7 @@ static int helper_rfc4106_encrypt(struct
 
 	if (sg_is_last(req->src) &&
 	    req->src->offset + req->src->length <= PAGE_SIZE &&
-	    sg_is_last(req->dst) &&
+	    sg_is_last(req->dst) && req->dst->length &&
 	    req->dst->offset + req->dst->length <= PAGE_SIZE) {
 		one_entry_in_sg = 1;
 		scatterwalk_start(&src_sg_walk, req->src);