On Thu, Jan 18, 2018 at 08:41:09PM +0100, Stephan Müller wrote: > Hi Herbert, > > Sorry, I forgot to CC you on this patch -- v2 is unchanged from the > original patch. It only adds you in copy. > > ---8<--- > > GCM can be invoked with a zero destination buffer. This is possible if > the AAD and the ciphertext have zero lengths and only the tag exists in > the source buffer (i.e. a source buffer cannot be zero). In this case, > the GCM cipher only performs the authentication and no decryption > operation. > > When the destination buffer has zero length, it is possible that no page > is mapped to the SG pointing to the destination. In this case, > sg_page(req->dst) is an invalid access. Therefore, page accesses should > only be allowed if the req->dst->length is non-zero which is the > indicator that a page must exist. > > This fixes a crash that can be triggered by user space via AF_ALG. > > CC: <sta...@vger.kernel.org> > Signed-off-by: Stephan Mueller <smuel...@chronox.de>
Patch applied. Thanks. -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
