Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c071afe2 authored by Ard Biesheuvel's avatar Ard Biesheuvel Committed by Eric Biggers
Browse files

UPSTREAM: crypto: arm/aes-ctr - fix NULL dereference in tail processing 



The AES-CTR glue code avoids calling into the blkcipher API for the
tail portion of the walk, by comparing the remainder of walk.nbytes
modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight
into the tail processing block if they are equal. This tail processing
block checks whether nbytes != 0, and does nothing otherwise.

However, in case of an allocation failure in the blkcipher layer, we
may enter this code with walk.nbytes == 0, while nbytes > 0. In this
case, we should not dereference the source and destination pointers,
since they may be NULL. So instead of checking for nbytes != 0, check
for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in
non-error conditions.

Fixes: 86464859cc77 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions")
Cc: stable@vger.kernel.org
Reported-by: default avatarxiakaixu <xiakaixu@huawei.com>
Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit f82e90b28654804ab72881d577d87c3d5c65e2bc)
Change-Id: Ie3b6479e96bb5c39cd89d2e575b983cc90021615
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
parent 203a37f4
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment