Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3264097rdb;
        Wed, 27 Dec 2023 01:28:53 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEF/Le1HkSJ0u5pcClJj/qP9+GNqempZs8gB5YX7Cy0YLCxa6ISpQiatLAzjhV6qY7/lW8s
X-Received: by 2002:a05:6830:926:b0:6dc:654:b4af with SMTP id v38-20020a056830092600b006dc0654b4afmr422126ott.18.1703669333627;
        Wed, 27 Dec 2023 01:28:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703669333; cv=none;
        d=google.com; s=arc-20160816;
        b=qTff/raY+9b1AW8Tieg17AtNAjUG2yrGvBSvSjygZuIQslzSG76MVZVzg3eIPAnRfh
         pWCH0EEI2US+2BxNv3BIEeR4BVzxSByoogkabquzdYcDAEi4Ka6Ydkk1in49aF7MMWtY
         Vw/orS43Rqw3UCH4NRN85V7oAEvLkHEZvO0yDpf07oUzlG6W1gf5edmY5z4snrrwp0OJ
         H1qAxPr2oykW+Kx6PqyPyI0yJbv10PNcacTWE6OA8c8Knk7bMHwKVuNWeShwdJlGbFNn
         hgGxH3LUnpQNz3rdVvVon9ZRI5PGg6DWvTnWedFvUIL/m7XZLgmms/z8mkD1nuwZEtV8
         3zPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:in-reply-to:from:references:cc:to
         :content-language:subject:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:date:dkim-signature:message-id;
        bh=FAjKd+UfTbwEkS6TOy8xK94TJjrGh/1CFpp3G699mKM=;
        fh=jKA59kIprlNHglLO82NLmL8DIMlK7oju0/tiyzOTQMk=;
        b=bF0skrdUinfi0RiMS/+oxIETkn5n1IwIVvVtVAPOCZ+IglAUjgaP6WNy0JujRoeD2k
         Mry35UqawzalDSma89dockr/2mkFh7Y+7NLpnxCjPd/O2MVwh35cexmo0+FiUXoCJZTJ
         YjGZV/9iC4OE//1bNfk3UrzgZMBkW01RV5YY6C1URECWDgnwy2Yd8Rhw5+T83ZSi5Z7f
         BVqXvuOTrKKZ7+okFk1biiAZfyR7d2sK68TZwcuFuqf+ic2kzJT8b1hF5QUwXqygr1JP
         LqZEBdvrw5EKXa0RwNBl7l2FQSLFuXItQogWEAj73zRVRPMM73C8IgIY8SwgZm6SH3Ay
         gYpA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=Q7Y7795a;
       spf=pass (google.com: domain of linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Return-Path: <linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id i6-20020a636d06000000b005ce46d33cdcsi1454243pgc.343.2023.12.27.01.28.53
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 27 Dec 2023 01:28:53 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux.dev header.s=key1 header.b=Q7Y7795a;
       spf=pass (google.com: domain of linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-1061-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 3F4922832F6
	for <linux.lists.archive@gmail.com>; Wed, 27 Dec 2023 09:28:53 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 1C2BB2869B;
	Wed, 27 Dec 2023 09:28:47 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="Q7Y7795a"
X-Original-To: linux-crypto@vger.kernel.org
Received: from out-175.mta1.migadu.com (out-175.mta1.migadu.com [95.215.58.175])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E45EE22F07
	for <linux-crypto@vger.kernel.org>; Wed, 27 Dec 2023 09:28:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev
Message-ID: <4b2f3c71-738b-4b6f-9c38-b10f0c6c7ff0@linux.dev>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1;
	t=1703669321;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=FAjKd+UfTbwEkS6TOy8xK94TJjrGh/1CFpp3G699mKM=;
	b=Q7Y7795aJHGA5qgK9Nw5KUwdCKCraxwbH04AvkFoRWRc/Jld8OVmujbrlPQLhYHZ0mJHJd
	FrBaMgPxRWc5XWP8/peasJ4J5wOHPIppDJq5nxsQmbNHSjY4lAH1QJ1AxzJk9UrXwdGebm
	aqzkYmVbaNQ8yieh9LhcTwVMWA4zbxw=
Date: Wed, 27 Dec 2023 17:28:35 +0800
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Subject: Re: [PATCH] crypto: scompress - fix req->dst buffer overflow
Content-Language: en-US
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: akpm@linux-foundation.org, chrisl@kernel.org, davem@davemloft.net,
 linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
 nphamcs@gmail.com, syzkaller-bugs@googlegroups.com, yosryahmed@google.com,
 21cnbao@gmail.com, zhouchengming@bytedance.com,
 syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
References: <0000000000000b05cd060d6b5511@google.com>
 <20231227065043.2730440-1-chengming.zhou@linux.dev>
 <ZYvtqW7TAm6mCelt@gondor.apana.org.au>
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Chengming Zhou <chengming.zhou@linux.dev>
In-Reply-To: <ZYvtqW7TAm6mCelt@gondor.apana.org.au>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Migadu-Flow: FLOW_OUT

On 2023/12/27 17:26, Herbert Xu wrote:
> On Wed, Dec 27, 2023 at 06:50:43AM +0000, chengming.zhou@linux.dev wrote:
>> From: Chengming Zhou <zhouchengming@bytedance.com>
>>
>> The req->dst buffer size should be checked before copying from the
>> scomp_scratch->dst to avoid req->dst buffer overflow problem.
>>
>> Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface")
>> Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com
>> Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/
>> Signed-off-by: Chengming Zhou <zhouchengming@bytedance.com>
>> ---
>>  crypto/scompress.c | 6 ++++++
>>  1 file changed, 6 insertions(+)
>>
>> diff --git a/crypto/scompress.c b/crypto/scompress.c
>> index 442a82c9de7d..e654a120ae5a 100644
>> --- a/crypto/scompress.c
>> +++ b/crypto/scompress.c
>> @@ -117,6 +117,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>>  	struct crypto_scomp *scomp = *tfm_ctx;
>>  	void **ctx = acomp_request_ctx(req);
>>  	struct scomp_scratch *scratch;
>> +	unsigned int dlen;
>>  	int ret;
>>  
>>  	if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE)
>> @@ -128,6 +129,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>>  	if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE)
>>  		req->dlen = SCOMP_SCRATCH_SIZE;
>>  
>> +	dlen = req->dlen;
>> +
>>  	scratch = raw_cpu_ptr(&scomp_scratch);
>>  	spin_lock(&scratch->lock);
>>  
>> @@ -145,6 +148,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir)
>>  				ret = -ENOMEM;
>>  				goto out;
>>  			}
>> +		} else if (req->dlen > dlen) {
>> +			ret = -ENOMEM;
>> +			goto out;
> 
> I think ENOMEM is ambiguous, perhaps ENOSPC?

Right, ENOSPC is better. Should I send a v2?

Thanks.