release/4.8.25/crypto-algif_aead-Fix-bogus-request-dereference-in-c.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-4.8 - Git at Google

 From 9a5880049feeeec57dfa433a159124500261fe28 Mon Sep 17 00:00:00 2001
 From: Herbert Xu <herbert@gondor.apana.org.au>
 Date: Mon, 10 Apr 2017 17:59:07 +0800
 Subject: [PATCH] crypto: algif_aead - Fix bogus request dereference in
  completion function

 commit e6534aebb26e32fbab14df9c713c65e8507d17e4 upstream.

 The algif_aead completion function tries to deduce the aead_request
 from the crypto_async_request argument.  This is broken because
 the API does not guarantee that the same request will be pased to
 the completion function.  Only the value of req->data can be used
 in the completion function.

 This patch fixes it by storing a pointer to sk in areq and using
 that instead of passing in sk through req->data.

 Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to...")
 Cc: <stable@vger.kernel.org>
 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
 index 10fe7972391c..2f855afbc76d 100644
 --- a/crypto/algif_aead.c
 +++ b/crypto/algif_aead.c
 @@ -39,6 +39,7 @@ struct aead_async_req {
  	struct aead_async_rsgl first_rsgl;
  	struct list_head list;
  	struct kiocb *iocb;
 +	struct sock *sk;
  	unsigned int tsgls;
  	char iv[];
  };
 @@ -375,12 +376,10 @@ unlock:

  static void aead_async_cb(struct crypto_async_request *_req, int err)
  {
 -	struct sock *sk = _req->data;
 -	struct alg_sock *ask = alg_sk(sk);
 -	struct aead_ctx *ctx = ask->private;
 -	struct crypto_aead *tfm = crypto_aead_reqtfm(&ctx->aead_req);
 -	struct aead_request *req = aead_request_cast(_req);
 +	struct aead_request *req = _req->data;
 +	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
  	struct aead_async_req *areq = GET_ASYM_REQ(req, tfm);
 +	struct sock *sk = areq->sk;
  	struct scatterlist *sg = areq->tsgl;
  	struct aead_async_rsgl *rsgl;
  	struct kiocb *iocb = areq->iocb;
 @@ -440,11 +439,12 @@ static int aead_recvmsg_async(struct socket *sock, struct msghdr *msg,
  	memset(&areq->first_rsgl, '\0', sizeof(areq->first_rsgl));
  	INIT_LIST_HEAD(&areq->list);
  	areq->iocb = msg->msg_iocb;
 +	areq->sk = sk;
  	memcpy(areq->iv, ctx->iv, crypto_aead_ivsize(tfm));
  	aead_request_set_tfm(req, tfm);
  	aead_request_set_ad(req, ctx->aead_assoclen);
  	aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
 -				  aead_async_cb, sk);
 +				  aead_async_cb, req);
  	used -= ctx->aead_assoclen + (ctx->enc ? as : 0);

  	/* take over all tx sgls from ctx */
 --
 2.12.0
	From 9a5880049feeeec57dfa433a159124500261fe28 Mon Sep 17 00:00:00 2001
	From: Herbert Xu <herbert@gondor.apana.org.au>
	Date: Mon, 10 Apr 2017 17:59:07 +0800
	Subject: [PATCH] crypto: algif_aead - Fix bogus request dereference in
	completion function

	commit e6534aebb26e32fbab14df9c713c65e8507d17e4 upstream.

	The algif_aead completion function tries to deduce the aead_request
	from the crypto_async_request argument. This is broken because
	the API does not guarantee that the same request will be pased to
	the completion function. Only the value of req->data can be used
	in the completion function.

	This patch fixes it by storing a pointer to sk in areq and using
	that instead of passing in sk through req->data.

	Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to...")
	Cc: <stable@vger.kernel.org>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
	index 10fe7972391c..2f855afbc76d 100644
	--- a/crypto/algif_aead.c
	+++ b/crypto/algif_aead.c
	@@ -39,6 +39,7 @@ struct aead_async_req {
	struct aead_async_rsgl first_rsgl;
	struct list_head list;
	struct kiocb *iocb;
	+ struct sock *sk;
	unsigned int tsgls;
	char iv[];
	};
	@@ -375,12 +376,10 @@ unlock:

	static void aead_async_cb(struct crypto_async_request *_req, int err)
	{
	- struct sock *sk = _req->data;
	- struct alg_sock *ask = alg_sk(sk);
	- struct aead_ctx *ctx = ask->private;
	- struct crypto_aead *tfm = crypto_aead_reqtfm(&ctx->aead_req);
	- struct aead_request *req = aead_request_cast(_req);
	+ struct aead_request *req = _req->data;
	+ struct crypto_aead *tfm = crypto_aead_reqtfm(req);
	struct aead_async_req *areq = GET_ASYM_REQ(req, tfm);
	+ struct sock *sk = areq->sk;
	struct scatterlist *sg = areq->tsgl;
	struct aead_async_rsgl *rsgl;
	struct kiocb *iocb = areq->iocb;
	@@ -440,11 +439,12 @@ static int aead_recvmsg_async(struct socket sock, struct msghdr msg,
	memset(&areq->first_rsgl, '\0', sizeof(areq->first_rsgl));
	INIT_LIST_HEAD(&areq->list);
	areq->iocb = msg->msg_iocb;
	+ areq->sk = sk;
	memcpy(areq->iv, ctx->iv, crypto_aead_ivsize(tfm));
	aead_request_set_tfm(req, tfm);
	aead_request_set_ad(req, ctx->aead_assoclen);
	aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
	- aead_async_cb, sk);
	+ aead_async_cb, req);
	used -= ctx->aead_assoclen + (ctx->enc ? as : 0);

	/* take over all tx sgls from ctx */
	--
	2.12.0