Commit 8648ac81 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'v7.0-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 

Pull crypto fixes from Herbert Xu:

 - Enforce rx socket buffer limit in af_alg

 - Fix array overflow in af_alg_pull_tsgl

 - Fix out-of-bounds access when parsing extensions in X.509

 - Fix minimum rx size check in algif_aead

* tag 'v7.0-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: algif_aead - Fix minimum RX size check for decryption
  X.509: Fix out-of-bounds access when parsing extensions
  crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
  crypto: af_alg - limit RX SG extraction by receive buffer budget
parents f5459048 3d14bd48

crypto/af_alg.c

+4 −2
Original line number Diff line number Diff line
@@ -705,8 +705,8 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst) 
			 * Assumption: caller created af_alg_count_tsgl(len)

			 * SG entries in dst.

			 */

			if (dst) {

				/* reassign page to dst after offset */

			if (dst && plen) {

				/* reassign page to dst */

				get_page(page);

				sg_set_page(dst + j, page, plen, sg[i].offset);

				j++;
@@ -1229,6 +1229,8 @@ int af_alg_get_rsgl(struct sock *sk, struct msghdr *msg, int flags, 


		seglen = min_t(size_t, (maxsize - len),

			       msg_data_left(msg));

		/* Never pin more pages than the remaining RX accounting budget. */

		seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk));



		if (list_empty(&areq->rsgl_list)) {

			rsgl = &areq->first_rsgl;

crypto/algif_aead.c

+1 −1
Original line number Diff line number Diff line
@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, 
	if (usedpages < outlen) {

		size_t less = outlen - usedpages;



		if (used < less) {

		if (used < less + (ctx->enc ? 0 : as)) {

			err = -EINVAL;

			goto free;

		}

crypto/algif_skcipher.c

+5 −0
Original line number Diff line number Diff line
@@ -130,6 +130,11 @@ static int _skcipher_recvmsg(struct socket *sock, struct msghdr *msg, 
	 * full block size buffers.

	 */

	if (ctx->more || len < ctx->used) {

		if (len < bs) {

			err = -EINVAL;

			goto free;

		}



		len -= len % bs;

		cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL;

	}

crypto/asymmetric_keys/x509_cert_parser.c

+4 −4
Original line number Diff line number Diff line
@@ -609,10 +609,10 @@ int x509_process_extension(void *context, size_t hdrlen, 
		 *   0x04 is where keyCertSign lands in this bit string

		 *   0x80 is where digitalSignature lands in this bit string

		 */

		if (v[0] != ASN1_BTS)

			return -EBADMSG;

		if (vlen < 4)

			return -EBADMSG;

		if (v[0] != ASN1_BTS)

			return -EBADMSG;

		if (v[2] >= 8)

			return -EBADMSG;

		if (v[3] & 0x80)
@@ -645,10 +645,10 @@ int x509_process_extension(void *context, size_t hdrlen, 
		 *	(Expect 0xFF if the CA is TRUE)

		 * vlen should match the entire extension size

		 */

		if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))

			return -EBADMSG;

		if (vlen < 2)

			return -EBADMSG;

		if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ))

			return -EBADMSG;

		if (v[1] != vlen - 2)

			return -EBADMSG;

		/* Empty SEQUENCE means CA:FALSE (default value omitted per DER) */