[Devel,RHEL7,COMMIT] ms/crypto: skcipher - Fix blkcipher walk OOM crash

Submitted by Konstantin Khorenko on Oct. 24, 2016, 12:34 p.m.

Details

Message ID 201610241234.u9OCYBGk025137@finist_cl7.x64_64.work.ct
State New
Series "ms/crypto: skcipher - Fix blkcipher walk OOM crash"
Headers show

Commit Message

Konstantin Khorenko Oct. 24, 2016, 12:34 p.m.
The commit is pushed to "branch-rh7-3.10.0-327.36.1.vz7.19.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-327.36.1.vz7.19.3
------>
commit c6ba9330342e14acce1ec98b6534c0ed7143ce21
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Mon Oct 24 16:34:11 2016 +0400

    ms/crypto: skcipher - Fix blkcipher walk OOM crash
    
    When we need to allocate a temporary blkcipher_walk_next and it
    fails, the code is supposed to take the slow path of processing
    the data block by block.  However, due to an unrelated change
    we instead end up dereferencing the NULL pointer.
    
    This patch fixes it by moving the unrelated bsize setting out
    of the way so that we enter the slow path as inteded.
    
    Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
    Cc: stable@vger.kernel.org
    Reported-by: xiakaixu <xiakaixu@huawei.com>
    Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    (cherry picked from commit acdb04d0b36769b3e05990c488dc74d8b7ac8060)
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 crypto/blkcipher.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/crypto/blkcipher.c b/crypto/blkcipher.c
index a79e7e9..5e77722 100644
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -238,6 +238,8 @@  static int blkcipher_walk_next(struct blkcipher_desc *desc,
 		return blkcipher_walk_done(desc, walk, -EINVAL);
 	}
 
+	bsize = min(walk->blocksize, n);
+
 	walk->flags &= ~(BLKCIPHER_WALK_SLOW | BLKCIPHER_WALK_COPY |
 			 BLKCIPHER_WALK_DIFF);
 	if (!scatterwalk_aligned(&walk->in, alignmask) ||
@@ -250,7 +252,6 @@  static int blkcipher_walk_next(struct blkcipher_desc *desc,
 		}
 	}
 
-	bsize = min(walk->blocksize, n);
 	n = scatterwalk_clamp(&walk->in, n);
 	n = scatterwalk_clamp(&walk->out, n);