[CRYPTO] xcbc: Fix crash with IPsec (2f40a178) · Commits · e / devices / android_kernel_sony_msm8998

When using aes-xcbc-mac for authentication in IPsec, the kernel crashes. It seems this algorithm doesn't account for the space IPsec may make in scatterlist for authtag. Thus when crypto_xcbc_digest_update2() gets called, nbytes may be less than sg[i].length. Since nbytes is an unsigned number, it wraps at the end of the loop allowing us to go back into loop and causing crash in memcpy. I used update function in digest.c to model this fix. Please let me know if it looks ok. Signed-off-by:

Joy Latten <latten@austin.ibm.com> Signed-off-by:

Herbert Xu <herbert@gondor.apana.org.au>

crypto/xcbc.c

+5 −1

Original line number	Original line	Diff line number	Diff line
	@@ -124,6 +124,11 @@ static int crypto_xcbc_digest_update2(struct hash_desc *pdesc,
	unsigned int offset = sg[i].offset;		unsigned int offset = sg[i].offset;
	unsigned int slen = sg[i].length;		unsigned int slen = sg[i].length;

			if (unlikely(slen > nbytes))
			slen = nbytes;

			nbytes -= slen;

	while (slen > 0) {		while (slen > 0) {
	unsigned int len = min(slen, ((unsigned int)(PAGE_SIZE)) - offset);		unsigned int len = min(slen, ((unsigned int)(PAGE_SIZE)) - offset);
	char *p = crypto_kmap(pg, 0) + offset;		char *p = crypto_kmap(pg, 0) + offset;
	@@ -177,7 +182,6 @@ static int crypto_xcbc_digest_update2(struct hash_desc *pdesc,
	offset = 0;		offset = 0;
	pg++;		pg++;
	}		}
	nbytes-=sg[i].length;
	i++;		i++;
	} while (nbytes>0);		} while (nbytes>0);