Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3263192rdb;
        Wed, 27 Dec 2023 01:26:29 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFbgvgE6gYbG0tYzZYscfr1lIwB9IhiUJ9qVMiD5la+FEZzdO/Ciu7QUHMWnQSab7MKGN9C
X-Received: by 2002:a05:6214:2684:b0:67f:4926:60c0 with SMTP id gm4-20020a056214268400b0067f492660c0mr15853232qvb.1.1703669188943;
        Wed, 27 Dec 2023 01:26:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703669188; cv=none;
        d=google.com; s=arc-20160816;
        b=NbTP8r5aH3HtU8QP6ZvSS5Kjo5MBj8SpyBLiWaox6uVxZbMZHozg9fSLXEFSttr4We
         A/DInJayocL2fzNGkyMKpJ+GilRhq85oHyWHCFP8sTSHEfYZCKhYy2kDypSwsf1PXaxQ
         qRXqL6jpCZYdUGntz9OBnYtc1I49tyuJgMRioELrtVopaaXksY0WmmeRPlaUa5dvhcKd
         Ls0EWMOj+E1F/DLlXDFAp6r++VH9EZEzDoZ9B1JO/2ojhF3ZUZIML/NTFxRLWsJatcA4
         J1Ss8a5559hqgbrjAwZQu5CXsGsJLDMKlSmy5IfdU+ApTTwbM3+9HQjEOtQodbgqcgUo
         p4ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date;
        bh=60yLQVNDIsmEm0S66c+NdlFWxg4Z3vu+mrMonqcwNSM=;
        fh=raL3gZExMA3p+j90H4zNR6IB9OTGdl2wjzR1xfWOzxI=;
        b=j988EMHx5/JMpWd/IkGzp6C/cV24/yC7PcqBNSmnhAwj35lzO/CHtXd/0sRc+hQpCe
         CL/ZAmNsCRyuPHjQ2//b1AalnZ2l22NWdOMCo3qJNiem07bOZI5hjCknumgnAEOpMa/e
         dwIiCYm4mtG2X2bQ51cqAMY0otP+Et3SWhNVwpgFnVjzqC93h+qV/w+1QOTjK2e1XVUS
         xfw0QRm5FP06+Vq7ef4RQFedc2WastQSn0q9AuvyUJ6vbeNGiQoA/zbc3UatssGQedGZ
         ExsQc6JOQAoRJ7oJR5g0EzLovrKhC7DrMgUD/3F/3565O1Wfd38Sh+ksibzSaiZ63cN5
         /Y0w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id h9-20020a0cb4c9000000b0067f8c92249csi12492047qvf.78.2023.12.27.01.26.28
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Dec 2023 01:26:28 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1060-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id A6BFB1C218C8
	for <linux.lists.archive@gmail.com>; Wed, 27 Dec 2023 09:26:28 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 07345134A2;
	Wed, 27 Dec 2023 09:26:23 +0000 (UTC)
X-Original-To: linux-crypto@vger.kernel.org
Received: from abb.hmeau.com (abb.hmeau.com [144.6.53.87])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 45C7F24B2A;
	Wed, 27 Dec 2023 09:26:18 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=gondor.apana.org.au
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gondor.apana.org.au
Received: from loth.rohan.me.apana.org.au ([192.168.167.2])
	by formenos.hmeau.com with smtp (Exim 4.94.2 #2 (Debian))
	id 1rIQAg-00ErDe-MH; Wed, 27 Dec 2023 17:25:51 +0800
Received: by loth.rohan.me.apana.org.au (sSMTP sendmail emulation); Wed, 27 Dec 2023 17:26:01 +0800
Date: Wed, 27 Dec 2023 17:26:01 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: chengming.zhou@linux.dev
Cc: akpm@linux-foundation.org, chrisl@kernel.org, davem@davemloft.net,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	nphamcs@gmail.com, syzkaller-bugs@googlegroups.com,
	yosryahmed@google.com, 21cnbao@gmail.com,
	zhouchengming@bytedance.com,
	syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
Subject: Re: [PATCH] crypto: scompress - fix req->dst buffer overflow
Message-ID: <ZYvtqW7TAm6mCelt@gondor.apana.org.au>
References: <0000000000000b05cd060d6b5511@google.com>
 <20231227065043.2730440-1-chengming.zhou@linux.dev>
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20231227065043.2730440-1-chengming.zhou@linux.dev>

On Wed, Dec 27, 2023 at 06:50:43AM +0000, chengming.zhou@linux.dev wrote:
> From: Chengming Zhou <zhouchengming@bytedance.com>
> 
> The req->dst buffer size should be checked before copying from the
> scomp_scratch->dst to avoid req->dst buffer overflow problem.
> 
> Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface")
> Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/
> Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
> ---
>  crypto/scompress.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/crypto/scompress.c b/crypto/scompress.c
> index 442a82c9de7d..e654a120ae5a 100644
> --- a/crypto/scompress.c
> +++ b/crypto/scompress.c
> @@ -117,6 +117,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>  	struct crypto_scomp *scomp = *tfm_ctx;
>  	void **ctx = acomp_request_ctx(req);
>  	struct scomp_scratch *scratch;
> +	unsigned int dlen;
>  	int ret;
>  
>  	if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE)
> @@ -128,6 +129,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>  	if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE)
>  		req->dlen = SCOMP_SCRATCH_SIZE;
>  
> +	dlen = req->dlen;
> +
>  	scratch = raw_cpu_ptr(&scomp_scratch);
>  	spin_lock(&scratch->lock);
>  
> @@ -145,6 +148,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>  				ret = -ENOMEM;
>  				goto out;
>  			}
> +		} else if (req->dlen > dlen) {
> +			ret = -ENOMEM;
> +			goto out;

I think ENOMEM is ambiguous, perhaps ENOSPC?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt