Message ID | 20221221103710.2540276-1-roberto.sassu@huaweicloud.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:e747:0:0:0:0:0 with SMTP id c7csp3450371wrn; Wed, 21 Dec 2022 02:39:28 -0800 (PST) X-Google-Smtp-Source: AMrXdXsyYekjoEeHjWnmGumcsgKLLIKB6MsQ9+qFEsSBWD4n8p/qeMWWIbUgnAgoUL9gKEu9E3Vu X-Received: by 2002:a17:907:7f24:b0:7c0:e0d9:d1b7 with SMTP id qf36-20020a1709077f2400b007c0e0d9d1b7mr1393575ejc.0.1671619168520; Wed, 21 Dec 2022 02:39:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1671619168; cv=none; d=google.com; s=arc-20160816; b=ZMJlx/F/UeBauIaX5NnnHMl4K5nvJul53efXhLrmV0nzPSjQUGMCiNeCzaeU3ySJx8 J1X5a/GLG5bTCnZcKGjtPqMATWfx8rPqnwG2kwbC9H3Z5JX0SDv/cEycALCEM+9dO2q5 wjxoMqnRc6FH3WRkDYrQyylfKwkDiW//a5PkP5QmsL6h4iPe38Gu/QcIm0jshufdMQUT Y3scR707oe8MsFJfh9ul0fKJk0B+vU0x0sNp+CZCpxIPAex2ZitiJHSLhlDShZlXd5+g E0j/r7igLFWJTgJmuVNX1W6iZ+PWqiIY0CaoO+N/pw6DwTnRXkl9gHQO2I8PG2NgywZB dZVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=rSGQc/K/U6q/Pe7iDNKPeTAL5gwape93+z5y+WLpoJU=; b=pGVvd4SW6+2oaSFJy5DIPmjg1yMYxYLyNbexqgp646mlxox/i2kN98FGyJkp6W8WlS tvgusTwuPI1E2C5YDb9IgOG6j91xhwg2WgM0w5Zw/lROdQ3ApxfOwSD6HfyPL2Z5PTQR 28FVy9B299ChLWzIDElQLbg+43Q03AnXE+VBdLbZiCmOYRNLjNJlokKq9W691dnEpG1a 2rEwGFC+wkDlTK2iOZr+rtJ3V0iMt8oRzSWltSd6jbiF4qj75X28A9pReVyuXk0xWpnF MGQaGd3WJtiTbXWP7X9Q0tlRy0YVXhU2LVv4269IVfkMVKAeXsroQi5AQauExO6FQiiN 3e5g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gb22-20020a170907961600b007c4f75345e2si2532022ejc.431.2022.12.21.02.39.04; Wed, 21 Dec 2022 02:39:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234454AbiLUKh4 (ORCPT <rfc822;pacteraone@gmail.com> + 99 others); Wed, 21 Dec 2022 05:37:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53648 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234283AbiLUKhx (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Wed, 21 Dec 2022 05:37:53 -0500 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2CF568D; Wed, 21 Dec 2022 02:37:51 -0800 (PST) Received: from mail02.huawei.com (unknown [172.18.147.227]) by frasgout11.his.huawei.com (SkyGuard) with ESMTP id 4NcV813lgCz9xqnZ; Wed, 21 Dec 2022 18:30:25 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP1 (Coremail) with SMTP id LxC2BwDHAQ3k4aJj76UvAA--.42155S2; Wed, 21 Dec 2022 11:37:32 +0100 (CET) From: Roberto Sassu <roberto.sassu@huaweicloud.com> To: dhowells@redhat.com, herbert@gondor.apana.org.au, davem@davemloft.net, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Roberto Sassu <roberto.sassu@huaweicloud.com> Subject: [PATCH v3 1/2] lib/mpi: Fix buffer overrun when SG is too long Date: Wed, 21 Dec 2022 11:37:09 +0100 Message-Id: <20221221103710.2540276-1-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: LxC2BwDHAQ3k4aJj76UvAA--.42155S2 X-Coremail-Antispam: 1UD129KBjvdXoW7Gw4UGF4kGry5AF4rKrW3ZFb_yoWDWFc_C3 WDKr1UWrWj9F47Z3WFkFZYv34Ikr9ru3WrCF1UJrn3K3s0qrn3Zr4xJFZaqr13Gan8AasI q3s7AFZ3Gw1IkjkaLaAFLSUrUUUUjb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb3kFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k26cxKx2IYs7xG 6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w A2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_Gr0_ Cr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gr0_Gr 1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xII jxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr 1lF7xvr2IYc2Ij64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF7I0E8cxa n2IY04v7MxkF7I0En4kS14v26r4a6rW5MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4 AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE 17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1j6r1xMI IF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw20EY4v20xvaj40_Zr0_Wr1U MIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIda VFxhVjvjDU0xZFpf9x0JUj4E_UUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQANBF1jj4bhEgACsO X-CFilter-Loop: Reflected X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1752819741500076453?= X-GMAIL-MSGID: =?utf-8?q?1752819741500076453?= |
Series |
[v3,1/2] lib/mpi: Fix buffer overrun when SG is too long
|
|
Commit Message
Roberto Sassu
Dec. 21, 2022, 10:37 a.m. UTC
From: Herbert Xu <herbert@gondor.apana.org.au> The helper mpi_read_raw_from_sgl sets the number of entries in the SG list according to nbytes. However, if the last entry in the SG list contains more data than nbytes, then it may overrun the buffer because it only allocates enough memory for nbytes. Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") Reported-by: Roberto Sassu <roberto.sassu@huaweicloud.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> --- lib/mpi/mpicoder.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c index 39c4c6731094..3cb6bd148fa9 100644 --- a/lib/mpi/mpicoder.c +++ b/lib/mpi/mpicoder.c @@ -504,7 +504,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes) while (sg_miter_next(&miter)) { buff = miter.addr; - len = miter.length; + len = min_t(unsigned, miter.length, nbytes); + nbytes -= len; for (x = 0; x < len; x++) { a <<= 8;