hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

wusbcore: Fix one more crypto-on-the-stack bug 

The driver put a constant buffer of all zeros on the stack and
pointed a scatterlist entry at it.  This doesn't work with virtual
stacks.  Use ZERO_PAGE instead.

Cc: stable@vger.kernel.org # 4.9 only
Reported-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Andy Lutomirski 2016-12-13 18:50:13 -08:00 committed by Greg Kroah-Hartman
parent a121103c92
commit 620f1a632e
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/usb/wusbcore/crypto.c
View File

@ -216,7 +216,6 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
struct scatterlist sg[4], sg_dst; struct scatterlist sg[4], sg_dst;
void *dst_buf; void *dst_buf;
size_t dst_size; size_t dst_size;
const u8 bzero[16] = { 0 };
u8 iv[crypto_skcipher_ivsize(tfm_cbc)]; u8 iv[crypto_skcipher_ivsize(tfm_cbc)];
size_t zero_padding; size_t zero_padding;
@ -261,7 +260,7 @@ static int wusb_ccm_mac(struct crypto_skcipher *tfm_cbc,
sg_set_buf(&sg[1], &scratch->b1, sizeof(scratch->b1)); sg_set_buf(&sg[1], &scratch->b1, sizeof(scratch->b1));
sg_set_buf(&sg[2], b, blen); sg_set_buf(&sg[2], b, blen);
/* 0 if well behaved :) */ /* 0 if well behaved :) */
sg_set_buf(&sg[3], bzero, zero_padding); sg_set_page(&sg[3], ZERO_PAGE(0), zero_padding, 0);
sg_init_one(&sg_dst, dst_buf, dst_size); sg_init_one(&sg_dst, dst_buf, dst_size);
skcipher_request_set_tfm(req, tfm_cbc); skcipher_request_set_tfm(req, tfm_cbc);