4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smuel...@chronox.de>

Fixed differently upstream as commit 2d97591ef43d ("crypto: af_alg - 
consolidation of duplicate code")

The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.

The patch only applies to all kernels up to and including 4.13. The
patch 2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.

Fixes: 8ff590903d5fc ("crypto: algif_skcipher - User-space interface for 
skcipher operations")
Signed-off-by: Stephan Mueller <smuel...@chronox.de>
Acked-by: Herbert Xu <herb...@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
---
 crypto/algif_skcipher.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -143,8 +143,10 @@ static int skcipher_alloc_sgl(struct soc
                sg_init_table(sgl->sg, MAX_SGL_ENTS + 1);
                sgl->cur = 0;
 
-               if (sg)
+               if (sg) {
                        sg_chain(sg, MAX_SGL_ENTS + 1, sgl->sg);
+                       sg_unmark_end(sg + (MAX_SGL_ENTS - 1));
+               }
 
                list_add_tail(&sgl->list, &ctx->tsgl);
        }


Reply via email to