Received: by 10.223.185.116 with SMTP id b49csp2355729wrg; Thu, 15 Feb 2018 10:18:01 -0800 (PST) X-Google-Smtp-Source: AH8x227SOZHVZUQ1x5a3XkNraOLWidaGJI2UB645JPXVaYrGU+H5BTdlYGf+SKWAALDC2r8ZMHc/ X-Received: by 2002:a17:902:7614:: with SMTP id k20-v6mr3297323pll.343.1518718681019; Thu, 15 Feb 2018 10:18:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518718680; cv=none; d=google.com; s=arc-20160816; b=XyTv5A9iXRCV3DfVsW7PxsPjlTVtyu47XfHJm7Kg9g0pfai8tZcmDdFeGSJ6/lRjhX 3y6Z0UM1RvNY05w8Xqz8QBTfHlk6x2Ik3Wx/+eF3eQUUjzOpUkP1FjuD2L9aUU39vn65 6apvJ4dbVxulSent9TyuUnpIPoH6gStsm58kjVpwL7oshVYGu64Av6AvTbQcZQRoJZd0 f7wx8wFWfp9elC3nQ/YV8tdyT15zRUZDbBL8Q9LhUgrcqweq7ZM/nz8OKuJi//k4fpVz vnCYOkYOitJN50swi22yYqsuauq0SF1UX2xRLEg7DRwj3UbI3ekcm0laAbISVmjjrqJ2 q1ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=6u59yxRV1Qb9Tb4Hhnm+aWEB5scJ7LFF49ZK9vzTy2Y=; b=zgA4xBOUAXP3l/5tYhb2oREdWfNaaLyFHbGsKXDUu/SoljvmFmFkgCK9vsJsC2B2ee wldBLMfYzTycq4jqfdtO4+uPB5x/8nzulv/Zq0hzZRJI7gygh73RJ1FCQg7jqnDYp/N3 zHKHq+yD1i1pddNWl+Ht9V/jNN5+Ce+ZdtXCiYcKqxL0usDoOdIUQ/JVFZwyGwAn+jM1 6VCwnXx5vKcP1rrT7EHTFgxKF8CXWGw5OmFpvaEFMdAasXXRx3v+g3bRD5tNgLapN8we fM/NvS+yR0/Feh/KLrJQnbObT06TKLXPEEj6lWnktWGP6XoOu43vm6x6nEjzfmREYH0U eW3A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l4-v6si4868705pln.121.2018.02.15.10.17.47; Thu, 15 Feb 2018 10:18:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1166177AbeBOSPc (ORCPT + 99 others); Thu, 15 Feb 2018 13:15:32 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:53570 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1163653AbeBOP1m (ORCPT ); Thu, 15 Feb 2018 10:27:42 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id A19621036; Thu, 15 Feb 2018 15:27:41 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Eric Biggers , Herbert Xu Subject: [PATCH 4.9 50/88] crypto: sha512-mb - initialize pending lengths correctly Date: Thu, 15 Feb 2018 16:17:17 +0100 Message-Id: <20180215151229.655280118@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180215151222.437136975@linuxfoundation.org> References: <20180215151222.437136975@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit eff84b379089cd8b4e83599639c1f5f6e34ef7bf upstream. The SHA-512 multibuffer code keeps track of the number of blocks pending in each lane. The minimum of these values is used to identify the next lane that will be completed. Unused lanes are set to a large number (0xFFFFFFFF) so that they don't affect this calculation. However, it was forgotten to set the lengths to this value in the initial state, where all lanes are unused. As a result it was possible for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing a NULL pointer dereference. Specifically this could happen in the case where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data, so it then called sha_complete_job() without having actually submitted any blocks to the multi-buffer code. This hit a NULL pointer dereference if another task happened to have submitted blocks concurrently to the same CPU and the flush timer had not yet expired. Fix this by initializing sha512_mb_mgr->lens correctly. As usual, this bug was found by syzkaller. Fixes: 45691e2d9b18 ("crypto: sha512-mb - submit/flush routines for AVX2") Reported-by: syzbot Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- a/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c +++ b/arch/x86/crypto/sha512-mb/sha512_mb_mgr_init_avx2.c @@ -57,10 +57,12 @@ void sha512_mb_mgr_init_avx2(struct sha5 { unsigned int j; - state->lens[0] = 0; - state->lens[1] = 1; - state->lens[2] = 2; - state->lens[3] = 3; + /* initially all lanes are unused */ + state->lens[0] = 0xFFFFFFFF00000000; + state->lens[1] = 0xFFFFFFFF00000001; + state->lens[2] = 0xFFFFFFFF00000002; + state->lens[3] = 0xFFFFFFFF00000003; + state->unused_lanes = 0xFF03020100; for (j = 0; j < 4; j++) state->ldata[j].job_in_lane = NULL;