Received: by 10.223.176.5 with SMTP id f5csp1015317wra; Fri, 2 Feb 2018 09:44:36 -0800 (PST) X-Google-Smtp-Source: AH8x225K3icSayX0F7oZgv2gFaDEeqk3XyhT1SiRAc5jQfU10oWDNx/fZdNv6Q7bi0iMFb+NcuVl X-Received: by 10.99.55.65 with SMTP id g1mr23464064pgn.284.1517593476256; Fri, 02 Feb 2018 09:44:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517593476; cv=none; d=google.com; s=arc-20160816; b=hjtBhMxBPzXIEeNFmlP+XP+ZYK+E3fAbGqz2cG0x3oI/LkG5raXKSoL3MUV5VC/vIY oMrx/pWsrF8+FTw59AV35ppQhv0+ycMR7Onc3PCClL1xmpMnrOiy9/KFXYa4cocAvi8P /8DrBb7n0i1gHdB4FNNQPUSIvSzBBb+UZ4ByvyQ6ZZt/QtNpJCEbqfstL4s2xnH+vs+f 0uZJrMFN/Xc6uWID1o6seRLozVHDrjSxll7Es6ZIeYwDBYj49Q8D1uBj1e9aC/z3RZgE YKVuHVwszIW8Oq331Lau8N4W42u+yi3maqgoe/PDYepwodSGJQbIZ90i6dnHdzEi79ds +9dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=oex5dyvUbAiX7vBsEyF/ZDkvDIk8LGLhaESyhscRA1Q=; b=MzlGqndtwyen7wECP7/O58peyq8OmKPIMFYEvFcnrNyxG8d6nGRjE8u3NLeRzhPKyz W0OQ9MeQn0aBHI1Ha75jd06R18U/93NtFo8Rah5FXapscIV/Tn1+wYUhq8ThUZWEua/d W8BLr9uxFRIn1jTPc474YxsUAPjQLvKd7dYKHes3S0jPA5MepfmN0pv5VaPdMeKmlC2i g16M238fy1CNruuQ/Y2ToHZ9OTjgvL+bglVCJ5v8Jy70DnIfOV31CStelpTelqOw+41X SUQxV+EgaKpMl8757n4Mj0qZsiyY89ZeeUGHjD3/OT8642Sd0wqwsYKsJjG79dOFb266 C7kw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i14si1684805pgp.516.2018.02.02.09.44.21; Fri, 02 Feb 2018 09:44:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753696AbeBBRO7 (ORCPT + 99 others); Fri, 2 Feb 2018 12:14:59 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:37350 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752862AbeBBRId (ORCPT ); Fri, 2 Feb 2018 12:08:33 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 80C33F01; Fri, 2 Feb 2018 17:08:32 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stephan Mueller , Herbert Xu Subject: [PATCH 4.14 009/156] crypto: aesni - handle zero length dst buffer Date: Fri, 2 Feb 2018 17:56:30 +0100 Message-Id: <20180202140840.748001317@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180202140840.242829545@linuxfoundation.org> References: <20180202140840.242829545@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Stephan Mueller commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream. GCM can be invoked with a zero destination buffer. This is possible if the AAD and the ciphertext have zero lengths and only the tag exists in the source buffer (i.e. a source buffer cannot be zero). In this case, the GCM cipher only performs the authentication and no decryption operation. When the destination buffer has zero length, it is possible that no page is mapped to the SG pointing to the destination. In this case, sg_page(req->dst) is an invalid access. Therefore, page accesses should only be allowed if the req->dst->length is non-zero which is the indicator that a page must exist. This fixes a crash that can be triggered by user space via AF_ALG. Signed-off-by: Stephan Mueller Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- arch/x86/crypto/aesni-intel_glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/crypto/aesni-intel_glue.c +++ b/arch/x86/crypto/aesni-intel_glue.c @@ -823,7 +823,7 @@ static int gcmaes_decrypt(struct aead_re if (sg_is_last(req->src) && (!PageHighMem(sg_page(req->src)) || req->src->offset + req->src->length <= PAGE_SIZE) && - sg_is_last(req->dst) && + sg_is_last(req->dst) && req->dst->length && (!PageHighMem(sg_page(req->dst)) || req->dst->offset + req->dst->length <= PAGE_SIZE)) { one_entry_in_sg = 1;