Received: by 10.223.176.5 with SMTP id f5csp1015317wra;
        Fri, 2 Feb 2018 09:44:36 -0800 (PST)
X-Google-Smtp-Source: AH8x225K3icSayX0F7oZgv2gFaDEeqk3XyhT1SiRAc5jQfU10oWDNx/fZdNv6Q7bi0iMFb+NcuVl
X-Received: by 10.99.55.65 with SMTP id g1mr23464064pgn.284.1517593476256;
        Fri, 02 Feb 2018 09:44:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517593476; cv=none;
        d=google.com; s=arc-20160816;
        b=hjtBhMxBPzXIEeNFmlP+XP+ZYK+E3fAbGqz2cG0x3oI/LkG5raXKSoL3MUV5VC/vIY
         oMrx/pWsrF8+FTw59AV35ppQhv0+ycMR7Onc3PCClL1xmpMnrOiy9/KFXYa4cocAvi8P
         /8DrBb7n0i1gHdB4FNNQPUSIvSzBBb+UZ4ByvyQ6ZZt/QtNpJCEbqfstL4s2xnH+vs+f
         0uZJrMFN/Xc6uWID1o6seRLozVHDrjSxll7Es6ZIeYwDBYj49Q8D1uBj1e9aC/z3RZgE
         YKVuHVwszIW8Oq331Lau8N4W42u+yi3maqgoe/PDYepwodSGJQbIZ90i6dnHdzEi79ds
         +9dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=oex5dyvUbAiX7vBsEyF/ZDkvDIk8LGLhaESyhscRA1Q=;
        b=MzlGqndtwyen7wECP7/O58peyq8OmKPIMFYEvFcnrNyxG8d6nGRjE8u3NLeRzhPKyz
         W0OQ9MeQn0aBHI1Ha75jd06R18U/93NtFo8Rah5FXapscIV/Tn1+wYUhq8ThUZWEua/d
         W8BLr9uxFRIn1jTPc474YxsUAPjQLvKd7dYKHes3S0jPA5MepfmN0pv5VaPdMeKmlC2i
         g16M238fy1CNruuQ/Y2ToHZ9OTjgvL+bglVCJ5v8Jy70DnIfOV31CStelpTelqOw+41X
         SUQxV+EgaKpMl8757n4Mj0qZsiyY89ZeeUGHjD3/OT8642Sd0wqwsYKsJjG79dOFb266
         C7kw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i14si1684805pgp.516.2018.02.02.09.44.21;
        Fri, 02 Feb 2018 09:44:36 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753696AbeBBRO7 (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 12:14:59 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:37350 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752862AbeBBRId (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 12:08:33 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 80C33F01;
        Fri,  2 Feb 2018 17:08:32 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephan Mueller <smueller@chronox.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.14 009/156] crypto: aesni - handle zero length dst buffer
Date:   Fri,  2 Feb 2018 17:56:30 +0100
Message-Id: <20180202140840.748001317@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180202140840.242829545@linuxfoundation.org>
References: <20180202140840.242829545@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream.

GCM can be invoked with a zero destination buffer. This is possible if
the AAD and the ciphertext have zero lengths and only the tag exists in
the source buffer (i.e. a source buffer cannot be zero). In this case,
the GCM cipher only performs the authentication and no decryption
operation.

When the destination buffer has zero length, it is possible that no page
is mapped to the SG pointing to the destination. In this case,
sg_page(req->dst) is an invalid access. Therefore, page accesses should
only be allowed if the req->dst->length is non-zero which is the
indicator that a page must exist.

This fixes a crash that can be triggered by user space via AF_ALG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/aesni-intel_glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -823,7 +823,7 @@ static int gcmaes_decrypt(struct aead_re
 	if (sg_is_last(req->src) &&
 	    (!PageHighMem(sg_page(req->src)) ||
 	    req->src->offset + req->src->length <= PAGE_SIZE) &&
-	    sg_is_last(req->dst) &&
+	    sg_is_last(req->dst) && req->dst->length &&
 	    (!PageHighMem(sg_page(req->dst)) ||
 	    req->dst->offset + req->dst->length <= PAGE_SIZE)) {
 		one_entry_in_sg = 1;