summaryrefslogtreecommitdiffstats
path: root/arch/arm
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2018-01-24 00:31:27 -0800
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-02-16 20:06:50 +0100
commit97905e9cf76a4a0eace41c24ab7582c02b6517a9 (patch)
tree5cb46e357ba614b77af65ff7bf15f4fc6456bbbb /arch/arm
parentbde50164e671849f175422c3f846ff00d651b3ec (diff)
downloadlinux-stable-97905e9cf76a4a0eace41c24ab7582c02b6517a9.tar.gz
linux-stable-97905e9cf76a4a0eace41c24ab7582c02b6517a9.tar.bz2
linux-stable-97905e9cf76a4a0eace41c24ab7582c02b6517a9.zip
crypto: sha512-mb - initialize pending lengths correctly
commit eff84b379089cd8b4e83599639c1f5f6e34ef7bf upstream. The SHA-512 multibuffer code keeps track of the number of blocks pending in each lane. The minimum of these values is used to identify the next lane that will be completed. Unused lanes are set to a large number (0xFFFFFFFF) so that they don't affect this calculation. However, it was forgotten to set the lengths to this value in the initial state, where all lanes are unused. As a result it was possible for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing a NULL pointer dereference. Specifically this could happen in the case where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data, so it then called sha_complete_job() without having actually submitted any blocks to the multi-buffer code. This hit a NULL pointer dereference if another task happened to have submitted blocks concurrently to the same CPU and the flush timer had not yet expired. Fix this by initializing sha512_mb_mgr->lens correctly. As usual, this bug was found by syzkaller. Fixes: 45691e2d9b18 ("crypto: sha512-mb - submit/flush routines for AVX2") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/arm')
0 files changed, 0 insertions, 0 deletions