tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'v7.0-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:

- Enforce rx socket buffer limit in af_alg

- Fix array overflow in af_alg_pull_tsgl

- Fix out-of-bounds access when parsing extensions in X.509

- Fix minimum rx size check in algif_aead

* tag 'v7.0-p5' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: algif_aead - Fix minimum RX size check for decryption
X.509: Fix out-of-bounds access when parsing extensions
crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
crypto: af_alg - limit RX SG extraction by receive buffer budget

Linus Torvalds 8648ac81 f5459048

+14 -7
+4 -2
crypto/af_alg.c
··· 705 705 * Assumption: caller created af_alg_count_tsgl(len) 706 706 * SG entries in dst. 707 707 */ 708 - if (dst) { 709 - /* reassign page to dst after offset */ 708 + if (dst && plen) { 709 + /* reassign page to dst */ 710 710 get_page(page); 711 711 sg_set_page(dst + j, page, plen, sg[i].offset); 712 712 j++; ··· 1229 1229 1230 1230 seglen = min_t(size_t, (maxsize - len), 1231 1231 msg_data_left(msg)); 1232 + /* Never pin more pages than the remaining RX accounting budget. */ 1233 + seglen = min_t(size_t, seglen, af_alg_rcvbuf(sk)); 1232 1234 1233 1235 if (list_empty(&areq->rsgl_list)) { 1234 1236 rsgl = &areq->first_rsgl;
+1 -1
crypto/algif_aead.c
··· 144 144 if (usedpages < outlen) { 145 145 size_t less = outlen - usedpages; 146 146 147 - if (used < less) { 147 + if (used < less + (ctx->enc ? 0 : as)) { 148 148 err = -EINVAL; 149 149 goto free; 150 150 }
+5
crypto/algif_skcipher.c
··· 130 130 * full block size buffers. 131 131 */ 132 132 if (ctx->more || len < ctx->used) { 133 + if (len < bs) { 134 + err = -EINVAL; 135 + goto free; 136 + } 137 + 133 138 len -= len % bs; 134 139 cflags |= CRYPTO_SKCIPHER_REQ_NOTFINAL; 135 140 }
+4 -4
crypto/asymmetric_keys/x509_cert_parser.c
··· 609 609 * 0x04 is where keyCertSign lands in this bit string 610 610 * 0x80 is where digitalSignature lands in this bit string 611 611 */ 612 - if (v[0] != ASN1_BTS) 613 - return -EBADMSG; 614 612 if (vlen < 4) 613 + return -EBADMSG; 614 + if (v[0] != ASN1_BTS) 615 615 return -EBADMSG; 616 616 if (v[2] >= 8) 617 617 return -EBADMSG; ··· 645 645 * (Expect 0xFF if the CA is TRUE) 646 646 * vlen should match the entire extension size 647 647 */ 648 - if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) 649 - return -EBADMSG; 650 648 if (vlen < 2) 649 + return -EBADMSG; 650 + if (v[0] != (ASN1_CONS_BIT | ASN1_SEQ)) 651 651 return -EBADMSG; 652 652 if (v[1] != vlen - 2) 653 653 return -EBADMSG;