From: Stephan Mueller Subject: Re: [PATCH] crypto: user - re-add size check for CRYPTO_MSG_GETALG Date: Wed, 22 Jun 2016 21:03:19 +0200 Message-ID: <1700839.z4KCsoVT9C@positron.chronox.de> References: <1466620177-10998-1-git-send-email-minipli@googlemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Cc: Herbert Xu , "David S. Miller" , linux-crypto@vger.kernel.org, Steffen Klassert To: Mathias Krause Return-path: Received: from mail.eperm.de ([89.247.134.16]:37992 "EHLO mail.eperm.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751307AbcFVTD1 (ORCPT ); Wed, 22 Jun 2016 15:03:27 -0400 In-Reply-To: <1466620177-10998-1-git-send-email-minipli@googlemail.com> Sender: linux-crypto-owner@vger.kernel.org List-ID: Am Mittwoch, 22. Juni 2016, 20:29:37 schrieb Mathias Krause: Hi Mathias, > Commit 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG") > accidentally removed the minimum size check for CRYPTO_MSG_GETALG > netlink messages. This allows userland to send a truncated > CRYPTO_MSG_GETALG message as short as a netlink header only making > crypto_report() operate on uninitialized memory by accessing data > beyond the end of the netlink message. > > Fix this be re-adding the minimum required size of CRYPTO_MSG_GETALG > messages to the crypto_msg_min[] array. I was playing with the adding of the GETALG value as you did to track down the issue fixed with eed1e1afd8d542d9644534c1b712599b5d680007 ("crypto: user - no parsing of CRYPTO_MSG_GETALG") in the cryptodev-2.6 tree. It did not occur to me that it fixes another bug. Yet, with this addition, it would be possible to revert the patch eed1e1afd8d542d9644534c1b712599b5d680007 as your patch fixes the issue too. But my fix can also stay as it does not hurt either. What is your take on that? Ciao Stephan