]> git.proxmox.com Git - mirror_ubuntu-kernels.git/commitdiff
crypto: algif_hash - Fix NULL hash crash with shash
authorHerbert Xu <herbert@gondor.apana.org.au>
Thu, 17 Nov 2016 14:07:58 +0000 (22:07 +0800)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 18 Nov 2016 14:34:10 +0000 (22:34 +0800)
Recently algif_hash has been changed to allow null hashes.  This
triggers a bug when used with an shash algorithm whereby it will
cause a crash during the digest operation.

This patch fixes it by avoiding the digest operation and instead
doing an init followed by a final which avoids the buggy code in
shash.

This patch also ensures that the result buffer is freed after an
error so that it is not returned as a genuine hash result on the
next recv call.

The shash/ahash wrapper code will be fixed later to handle this
case correctly.

Fixes: 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Laura Abbott <labbott@redhat.com>
crypto/algif_hash.c

index 2d8466f9e49b8632527ed1e2f35617ff02f5fac1..05e21b46443300e76a0663d37c4a3cb071254270 100644 (file)
@@ -214,23 +214,26 @@ static int hash_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
        ahash_request_set_crypt(&ctx->req, NULL, ctx->result, 0);
 
-       if (ctx->more) {
+       if (!result) {
+               err = af_alg_wait_for_completion(
+                               crypto_ahash_init(&ctx->req),
+                               &ctx->completion);
+               if (err)
+                       goto unlock;
+       }
+
+       if (!result || ctx->more) {
                ctx->more = 0;
                err = af_alg_wait_for_completion(crypto_ahash_final(&ctx->req),
                                                 &ctx->completion);
                if (err)
                        goto unlock;
-       } else if (!result) {
-               err = af_alg_wait_for_completion(
-                               crypto_ahash_digest(&ctx->req),
-                               &ctx->completion);
        }
 
        err = memcpy_to_msg(msg, ctx->result, len);
 
-       hash_free_result(sk, ctx);
-
 unlock:
+       hash_free_result(sk, ctx);
        release_sock(sk);
 
        return err ?: len;