Received: by 10.223.176.5 with SMTP id f5csp1055105wra;
        Fri, 2 Feb 2018 10:23:15 -0800 (PST)
X-Google-Smtp-Source: AH8x227JR0wlOm8Da4DCCwenGexjn0Iv8xVXy0aeQU2fMO4RpDYO/lqmuByVa8DJB85lE9TDqniz
X-Received: by 2002:a17:902:b104:: with SMTP id q4-v6mr5814727plr.143.1517595795873;
        Fri, 02 Feb 2018 10:23:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517595795; cv=none;
        d=google.com; s=arc-20160816;
        b=hbMTFAiVoM5YVH4RKTY6MqoqdG1nkbqUuz9dojtbMb7V8nXEi3lA3bluwt7JPpWwRA
         SWgjirphemDd88poQ8bHrxS+7UxG6u6HQFSZzESqHvcngEvExB6M/qPlI6lO40Elqr7M
         dO6swebWGI7kKtpuJxgIiLeWjtr8J6n9mrrTja05J28swEHioWtVXPUpdOU/3QSSasHU
         KVp1Mh5k1NK2jkEvPkulD7ULkDL5uN/5UwoyDjsKBZjtopVWHi9q16sggnZYbVLr/JhV
         e+qlvjeB4pOV6iMhy/vEPJx71QMqEfAxp/619EOknKDu/XpGx2QSMyk4mLexUfpsebdk
         OcQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=Lr48mmwxtB5B29Qgn7rujbMpdBuOJUIlOXG9RMGgadU=;
        b=TMPb9LvXAap9Wy+3j2HY1kp8EAmnwM9WShRNtbtLjsVS9zAhGQ8cL5hLIYHL/nEcNS
         xThGTzKe/os4+UTsgmAsZNyZyif62fwFfNwN3XXB+wF2k55/IKCE8BhBobRJzW5ZwRWF
         FjtxgHJS3bzNv6saW4OFONib0DOdlijgmP2uqGFsYPnSFUE6yiSHDeLvc5m/iNofiD5/
         PhThHn1a5X7Ls3AEHSluz7DTyS4vMTftp3yC6FIFS+JBRKQaG8yoaCO0OpwH95mCPraH
         afcFvR4nmVmJNNRtIxn2xKFAS1SMb5PFaCEQZFWNc4L61hVI1nbhPcWFWDx43j5oYN0D
         NuQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a67si473556pgc.151.2018.02.02.10.23.01;
        Fri, 02 Feb 2018 10:23:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754502AbeBBSVe (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Fri, 2 Feb 2018 13:21:34 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:35666 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752500AbeBBRDP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Feb 2018 12:03:15 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 6AE82EDD;
        Fri,  2 Feb 2018 17:03:14 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephan Mueller <smueller@chronox.de>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.9 08/86] crypto: aesni - handle zero length dst buffer
Date:   Fri,  2 Feb 2018 17:57:28 +0100
Message-Id: <20180202140823.517531749@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180202140822.679101338@linuxfoundation.org>
References: <20180202140822.679101338@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@chronox.de>

commit 9c674e1e2f9e24fa4392167efe343749008338e0 upstream.

GCM can be invoked with a zero destination buffer. This is possible if
the AAD and the ciphertext have zero lengths and only the tag exists in
the source buffer (i.e. a source buffer cannot be zero). In this case,
the GCM cipher only performs the authentication and no decryption
operation.

When the destination buffer has zero length, it is possible that no page
is mapped to the SG pointing to the destination. In this case,
sg_page(req->dst) is an invalid access. Therefore, page accesses should
only be allowed if the req->dst->length is non-zero which is the
indicator that a page must exist.

This fixes a crash that can be triggered by user space via AF_ALG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/crypto/aesni-intel_glue.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -906,7 +906,7 @@ static int helper_rfc4106_encrypt(struct
 
 	if (sg_is_last(req->src) &&
 	    req->src->offset + req->src->length <= PAGE_SIZE &&
-	    sg_is_last(req->dst) &&
++	    sg_is_last(req->dst) && req->dst->length &&
 	    req->dst->offset + req->dst->length <= PAGE_SIZE) {
 		one_entry_in_sg = 1;
 		scatterwalk_start(&src_sg_walk, req->src);