Received: by 10.223.176.5 with SMTP id f5csp1005234wra;
        Fri, 2 Feb 2018 09:33:39 -0800 (PST)
X-Google-Smtp-Source: AH8x224ddoivIG0+ox/cUd4iNiOf6XwXYUILtGxvKYwzL1OP9+3XeTGJJX8iZVAHmLj8xNhwhVsK
X-Received: by 10.98.129.194 with SMTP id t185mr40424233pfd.228.1517592819616;
        Fri, 02 Feb 2018 09:33:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517592819; cv=none;
        d=google.com; s=arc-20160816;
        b=dpuLgD2pw/6KsljUPg5BalDUNbn0zglIGq/Zjz7vbYHMGYtpEJ7Y1OKTqkZ8gdGEuv
         6F35tVj8blhVTO6DLpQgJ2VBf/GcNX3x6CmYwKMeHkStmXr558j3zIAra9SiPhE2Dk5T
         nNh7tYaiaMCFvRLlxPXsebKG9oiTWY3zwzE5OzPMg6xFLNwIwg4dlSW9h9T+t74o73bm
         pJo2Zwas1l4DBBwWb7MOAKtusoycXHp6Jtd/5EhZHel8zMUhRpsULsiMkBhbJofWs3gb
         FgVFfZVu0NY8hTmWf1tMzylCuIAeiJSPry2G2FFE4MPypRdlAQCA+nfD+cijoQ+B+Z7W
         774Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=mTLdmG08mRypGMOQipFSpyb0HW7qsp4ryHvVS/VuNw4=;
        b=guJfVicRgH0N320KarhEqy3+z1wScV/oOjnkMAa28FY/NZqgKoD7c21hwu2SaZ86/T
         tu7ZYmJWEXJ/H8nbkpHQ/ROszPYl6+VDzw1TUfUFsM7XTU1oK6v6aX+VMW1d/slct83g
         ldU8pB35hxyrsvVt1ihKQGJ1oMwLjBgVP7EyuRs1C2pVY3b0BnKFpedt4DRplJHJ/0Kh
         voWCDxOnklIMot4FlChUknM+e74Eb2b7WXCU21SqAfTs1LReEdT0VAdl3Y+mpw2yHqWM
         ruuhs2aRBh9aZt49mwcDty0K5559tPCPlGlZ+VatEuZQRQK2e5o35McynHmubpDMgajF
         Ty5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s2si1428pgc.386.2018.02.02.09.33.24;
        Fri, 02 Feb 2018 09:33:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754032AbeBBRZk (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 12:25:40 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:40722 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753555AbeBBRPW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 12:15:22 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 5A2B9D81;
        Fri,  2 Feb 2018 17:15:21 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephan Mueller <smueller@chronox.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.15 07/55] crypto: aesni - handle zero length dst buffer
Date:   Fri,  2 Feb 2018 17:58:25 +0100
Message-Id: <20180202140826.711881579@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180202140826.117602411@linuxfoundation.org>
References: <20180202140826.117602411@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream.

GCM can be invoked with a zero destination buffer. This is possible if
the AAD and the ciphertext have zero lengths and only the tag exists in
the source buffer (i.e. a source buffer cannot be zero). In this case,
the GCM cipher only performs the authentication and no decryption
operation.

When the destination buffer has zero length, it is possible that no page
is mapped to the SG pointing to the destination. In this case,
sg_page(req->dst) is an invalid access. Therefore, page accesses should
only be allowed if the req->dst->length is non-zero which is the
indicator that a page must exist.

This fixes a crash that can be triggered by user space via AF_ALG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/aesni-intel_glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -824,7 +824,7 @@ static int gcmaes_decrypt(struct aead_re
 	if (sg_is_last(req->src) &&
 	    (!PageHighMem(sg_page(req->src)) ||
 	    req->src->offset + req->src->length <= PAGE_SIZE) &&
-	    sg_is_last(req->dst) &&
+	    sg_is_last(req->dst) && req->dst->length &&
 	    (!PageHighMem(sg_page(req->dst)) ||
 	    req->dst->offset + req->dst->length <= PAGE_SIZE)) {
 		one_entry_in_sg = 1;