| From: Eric Dumazet <edumazet@google.com> |
| Date: Sat, 7 Apr 2018 13:42:36 -0700 |
| Subject: crypto: af_alg - fix possible uninit-value in alg_bind() |
| |
| commit a466856e0b7ab269cdf9461886d007e88ff575b0 upstream. |
| |
| syzbot reported : |
| |
| BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162 |
| |
| We need to check addr_len before dereferencing sa (or uaddr) |
| |
| Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Cc: Stephan Mueller <smueller@chronox.de> |
| Cc: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| [bwh: Backported to 3.16: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| crypto/af_alg.c | 8 ++++---- |
| 1 file changed, 4 insertions(+), 4 deletions(-) |
| |
| --- a/crypto/af_alg.c |
| +++ b/crypto/af_alg.c |
| @@ -157,16 +157,16 @@ static int alg_bind(struct socket *sock, |
| void *private; |
| int err; |
| |
| - /* If caller uses non-allowed flag, return error. */ |
| - if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
| - return -EINVAL; |
| - |
| if (sock->state == SS_CONNECTED) |
| return -EINVAL; |
| |
| if (addr_len != sizeof(*sa)) |
| return -EINVAL; |
| |
| + /* If caller uses non-allowed flag, return error. */ |
| + if ((sa->salg_feat & ~allowed) || (sa->salg_mask & ~allowed)) |
| + return -EINVAL; |
| + |
| sa->salg_type[sizeof(sa->salg_type) - 1] = 0; |
| sa->salg_name[sizeof(sa->salg_name) - 1] = 0; |
| |