releases/4.6.4/crypto-user-re-add-size-check-for-crypto_msg_getalg.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 055ddaace03580455a7b7dbea8e93d62acee61fc Mon Sep 17 00:00:00 2001
 From: Mathias Krause <minipli@googlemail.com>
 Date: Wed, 22 Jun 2016 20:29:37 +0200
 Subject: crypto: user - re-add size check for CRYPTO_MSG_GETALG

 From: Mathias Krause <minipli@googlemail.com>

 commit 055ddaace03580455a7b7dbea8e93d62acee61fc upstream.

 Commit 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG")
 accidentally removed the minimum size check for CRYPTO_MSG_GETALG
 netlink messages. This allows userland to send a truncated
 CRYPTO_MSG_GETALG message as short as a netlink header only making
 crypto_report() operate on uninitialized memory by accessing data
 beyond the end of the netlink message.

 Fix this be re-adding the minimum required size of CRYPTO_MSG_GETALG
 messages to the crypto_msg_min[] array.

 Fixes: 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG")
 Signed-off-by: Mathias Krause <minipli@googlemail.com>
 Cc: Steffen Klassert <steffen.klassert@secunet.com>
 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  crypto/crypto_user.c |    1 +
  1 file changed, 1 insertion(+)

 --- a/crypto/crypto_user.c
 +++ b/crypto/crypto_user.c
 @@ -455,6 +455,7 @@ static const int crypto_msg_min[CRYPTO_N
  	[CRYPTO_MSG_NEWALG	- CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
  	[CRYPTO_MSG_DELALG	- CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
  	[CRYPTO_MSG_UPDATEALG	- CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
 +	[CRYPTO_MSG_GETALG	- CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
  	[CRYPTO_MSG_DELRNG	- CRYPTO_MSG_BASE] = 0,
  };
	From 055ddaace03580455a7b7dbea8e93d62acee61fc Mon Sep 17 00:00:00 2001
	From: Mathias Krause <minipli@googlemail.com>
	Date: Wed, 22 Jun 2016 20:29:37 +0200
	Subject: crypto: user - re-add size check for CRYPTO_MSG_GETALG

	From: Mathias Krause <minipli@googlemail.com>

	commit 055ddaace03580455a7b7dbea8e93d62acee61fc upstream.

	Commit 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG")
	accidentally removed the minimum size check for CRYPTO_MSG_GETALG
	netlink messages. This allows userland to send a truncated
	CRYPTO_MSG_GETALG message as short as a netlink header only making
	crypto_report() operate on uninitialized memory by accessing data
	beyond the end of the netlink message.

	Fix this be re-adding the minimum required size of CRYPTO_MSG_GETALG
	messages to the crypto_msg_min[] array.

	Fixes: 9aa867e46565 ("crypto: user - Add CRYPTO_MSG_DELRNG")
	Signed-off-by: Mathias Krause <minipli@googlemail.com>
	Cc: Steffen Klassert <steffen.klassert@secunet.com>
	Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	crypto/crypto_user.c \| 1 +
	1 file changed, 1 insertion(+)

	--- a/crypto/crypto_user.c
	+++ b/crypto/crypto_user.c
	@@ -455,6 +455,7 @@ static const int crypto_msg_min[CRYPTO_N
	[CRYPTO_MSG_NEWALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
	[CRYPTO_MSG_DELALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
	[CRYPTO_MSG_UPDATEALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
	+ [CRYPTO_MSG_GETALG - CRYPTO_MSG_BASE] = MSGSIZE(crypto_user_alg),
	[CRYPTO_MSG_DELRNG - CRYPTO_MSG_BASE] = 0,
	};