Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1136131pxk; Fri, 25 Sep 2020 07:10:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyEW5IMfdF+QxPNTJQAM0qE0ryb2pZtSP91DvXVAxBXxcTzM11Qmtt9Cyzohj8pAk0GZIuk X-Received: by 2002:a50:d591:: with SMTP id v17mr1573506edi.92.1601043039667; Fri, 25 Sep 2020 07:10:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601043039; cv=none; d=google.com; s=arc-20160816; b=StnkyG0NU4toqqLBPlxtbIRPL9ZzMVQ9U42LXi2pZ1Dpuo9ZtA3j2aKRBhf1bk05iN Ne7gx3gysX88nW1c4dhhpliGhEZZ9iWu17a9L9NG99fQ4uRExJ4wyUdIKX0ySevfZXHf Y0W+u1t1Arb7pyIzvAJcuA/xeny3v6Ie+KmmEbYCiO1O0Nb3A+u7X85bXKUQombgvZgh sV/8lDmlTjwS2F0g/OvifXCo/AV80P85/v+tQfoVM9xTwI9MKcNA4XrjXEv8MYuDm6dG pcumGjXvm8g8T9NdpXlHmOr7ALy+S3wTsChSoBKgDBCznG17mU0ZLarri0iQpMdRsYgI YNwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from; bh=X4N3mi8fu905OMs7yEwVb+TdCF+YI12X3TmRpofszOQ=; b=fNpCnCWsyGBL5xyDjMSoG137V0FnNiT2V/j3dEq6Kbh43YAf+q1J54U9fmu8LiGy+9 HjeKefk8PrstaspBQZbOMnA1dprgr9Od9LWfRW09QDLyUMjxnAgh9DmHeo4yLMx4/Frv LmfGHFBcrBcyWujDZR16li51eLEWvOIYRQ/7082Pb113K12UTBr/pDttrGARLCwtg79S +tSMo/KHHNPc6BLzffrk6q7GSgPOaQBFq3uFCz+JkV7b9+gl4DNl+L+/MkmfuqXXgrLp GKI93AB7GBYgP5VJAfoxebLFhdRD9j23vfL0RvphlDrP/Ni3otT1oubnXhw6bMyRgTAz UNcQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n1si1831289edt.72.2020.09.25.07.10.14; Fri, 25 Sep 2020 07:10:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728975AbgIYOI7 (ORCPT + 99 others); Fri, 25 Sep 2020 10:08:59 -0400 Received: from szxga07-in.huawei.com ([45.249.212.35]:47144 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728958AbgIYOI6 (ORCPT ); Fri, 25 Sep 2020 10:08:58 -0400 Received: from DGGEMS405-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 549188A2292E46BAB632; Fri, 25 Sep 2020 22:08:56 +0800 (CST) Received: from localhost.localdomain (10.69.192.56) by DGGEMS405-HUB.china.huawei.com (10.3.19.205) with Microsoft SMTP Server id 14.3.487.0; Fri, 25 Sep 2020 22:08:49 +0800 From: Yang Shen To: , CC: , , , Subject: [PATCH RESEND 2/4] crypto: hisilicon/zip - fix zero length input in GZIP decompress Date: Fri, 25 Sep 2020 22:06:15 +0800 Message-ID: <1601042777-26150-3-git-send-email-shenyang39@huawei.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1601042777-26150-1-git-send-email-shenyang39@huawei.com> References: <1601042777-26150-1-git-send-email-shenyang39@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.69.192.56] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Zhou Wang The zero length input will cause a call trace when use GZIP decompress like this: Unable to handle kernel paging request at virtual address ... lr : get_gzip_head_size+0x7c/0xd0 [hisi_zip] Judge the input length and return '-EINVAL' when input is invalid. Fixes: 62c455ca853e("crypto: hisilicon - add HiSilicon ZIP...") Signed-off-by: Zhou Wang Signed-off-by: Yang Shen --- drivers/crypto/hisilicon/zip/zip_crypto.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/drivers/crypto/hisilicon/zip/zip_crypto.c b/drivers/crypto/hisilicon/zip/zip_crypto.c index 38f92d4..48dc2fd 100644 --- a/drivers/crypto/hisilicon/zip/zip_crypto.c +++ b/drivers/crypto/hisilicon/zip/zip_crypto.c @@ -454,7 +454,7 @@ static int add_comp_head(struct scatterlist *dst, u8 req_type) return head_size; } -static size_t get_gzip_head_size(struct scatterlist *sgl) +static size_t __maybe_unused get_gzip_head_size(struct scatterlist *sgl) { char buf[HZIP_GZIP_HEAD_BUF]; @@ -463,13 +463,20 @@ static size_t get_gzip_head_size(struct scatterlist *sgl) return __get_gzip_head_size(buf); } -static size_t get_comp_head_size(struct scatterlist *src, u8 req_type) +static int get_comp_head_size(struct acomp_req *acomp_req, u8 req_type) { + if (!acomp_req->src || !acomp_req->slen) + return -EINVAL; + + if ((req_type == HZIP_ALG_TYPE_GZIP) && + (acomp_req->slen < GZIP_HEAD_FEXTRA_SHIFT)) + return -EINVAL; + switch (req_type) { case HZIP_ALG_TYPE_ZLIB: return TO_HEAD_SIZE(HZIP_ALG_TYPE_ZLIB); case HZIP_ALG_TYPE_GZIP: - return get_gzip_head_size(src); + return TO_HEAD_SIZE(HZIP_ALG_TYPE_GZIP); default: pr_err("request type does not support!\n"); return -EINVAL; @@ -606,10 +613,14 @@ static int hisi_zip_adecompress(struct acomp_req *acomp_req) struct hisi_zip_qp_ctx *qp_ctx = &ctx->qp_ctx[HZIP_QPC_DECOMP]; struct device *dev = &qp_ctx->qp->qm->pdev->dev; struct hisi_zip_req *req; - size_t head_size; - int ret; + int head_size, ret; - head_size = get_comp_head_size(acomp_req->src, qp_ctx->qp->req_type); + head_size = get_comp_head_size(acomp_req, qp_ctx->qp->req_type); + if (head_size < 0) { + dev_err_ratelimited(dev, "failed to get comp head size (%d)!\n", + head_size); + return head_size; + } req = hisi_zip_create_req(acomp_req, qp_ctx, head_size, false); if (IS_ERR(req)) -- 2.7.4