Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp641033img; Fri, 22 Mar 2019 05:44:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqzFltTAFjbyTAYaNIT6hsZsAZiv4blWI9JtmTfacbx0xjbOjqtFw65B2veTIXGa38nUw6Sm X-Received: by 2002:a17:902:248:: with SMTP id 66mr9563575plc.286.1553258660729; Fri, 22 Mar 2019 05:44:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553258660; cv=none; d=google.com; s=arc-20160816; b=zOdaW1BYWkENoeC42V7rfFGda7uC/qAFAAarPdKrt+Pds2SGtrFGonEcuryJiFv1sI BLCeGOJ/SZgYfP+gZKmm7f7jECj39R7LXjUs43fcY4XT4VmR4G3zG6XCC25CSHyfZLih qkx5khZe002QC70ev24dcaBpKlt1IDiGWz5YslxBD+dikSU/85Pcy9T/U47Z+1PExbGy AGZA3VmdSyd7fWYPz7kniT2YJt88GbsSdWrfjKPA2miusEKfQ8mvyDt1+gQI0l2qzCUD Ix+vQCOzKwc0w4WcI5ByZ50P9KGJMAmBcH30PSJ7ZM192ybLA9fi0VZJaWFuofpou8m8 FOng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Bg9v0sneYK5fXvN7aNKuxqGHkmIaLLj8zCb6Kgk8ii8=; b=wq781imWlmNV1St0GTdmmrFnCJL0Gk4bQ2AcVfe/G63xwiTf3Pwy3SgweaYjA5n2S4 knpAw+lSSSbC+jusxqEIbze9M+MkDy3nwsitLl9eq/jxv3PdXx2ty78qvG6w0pO57UfI NyYt8a0ygdRxRvMQVk8F7a95EHrkia0yrAkbgG//NAhw7PZ+eq9ZscGU+AxjmCbYsm7F YYTj+LHRKBvtpStE4jeDckj39d2A5KQcKP/uQwdiSoqBORwaYxfgYeGf49URzTs2gV94 D9uayW16wC/kbLpZPnX7A/TBkuwXmdLep4LuiPhJTsyebC46nJQxWaQBIUr5gRDn6yWN Vf2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VnMkIrOy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 102si7343194plb.247.2019.03.22.05.44.05; Fri, 22 Mar 2019 05:44:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VnMkIrOy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388355AbfCVMnd (ORCPT + 99 others); Fri, 22 Mar 2019 08:43:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:41346 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731126AbfCVMDC (ORCPT ); Fri, 22 Mar 2019 08:03:02 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AFEA1204FD; Fri, 22 Mar 2019 12:03:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553256182; bh=gXbYJMgb1V/boK1svDiS1Q3s0tn2VpFtx2hHqvQ4N34=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VnMkIrOynwg5o4iNM+dfPyaa4ZTlNiJp9DpHylvdrRwfi6rAue/9bhTjBsdtwPlTI RoBvWHYqWHcv2xChzTC/YVIFVMmkgFvgzxnZJnTxBNK0PUzZuuhDk5Nq2QcIqq/81+ miQ52UHvXtplF4MCfeT4QAmhZNHeLUioz+ceqRxw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dave Watson , Eric Biggers , Herbert Xu Subject: [PATCH 4.19 133/280] crypto: x86/aesni-gcm - fix crash on empty plaintext Date: Fri, 22 Mar 2019 12:14:46 +0100 Message-Id: <20190322111316.962414821@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111306.356185024@linuxfoundation.org> References: <20190322111306.356185024@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 3af349639597fea582a93604734d717e59a0e223 upstream. gcmaes_crypt_by_sg() dereferences the NULL pointer returned by scatterwalk_ffwd() when encrypting an empty plaintext and the source scatterlist ends immediately after the associated data. Fix it by only fast-forwarding to the src/dst data scatterlists if the data length is nonzero. This bug is reproduced by the "rfc4543(gcm(aes))" test vectors when run with the new AEAD test manager. Fixes: e845520707f8 ("crypto: aesni - Update aesni-intel_glue to use scatter/gather") Cc: # v4.17+ Cc: Dave Watson Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- arch/x86/crypto/aesni-intel_glue.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) --- a/arch/x86/crypto/aesni-intel_glue.c +++ b/arch/x86/crypto/aesni-intel_glue.c @@ -830,11 +830,14 @@ static int gcmaes_crypt_by_sg(bool enc, scatterwalk_map_and_copy(assoc, req->src, 0, assoclen, 0); } - src_sg = scatterwalk_ffwd(src_start, req->src, req->assoclen); - scatterwalk_start(&src_sg_walk, src_sg); - if (req->src != req->dst) { - dst_sg = scatterwalk_ffwd(dst_start, req->dst, req->assoclen); - scatterwalk_start(&dst_sg_walk, dst_sg); + if (left) { + src_sg = scatterwalk_ffwd(src_start, req->src, req->assoclen); + scatterwalk_start(&src_sg_walk, src_sg); + if (req->src != req->dst) { + dst_sg = scatterwalk_ffwd(dst_start, req->dst, + req->assoclen); + scatterwalk_start(&dst_sg_walk, dst_sg); + } } kernel_fpu_begin();