PD#156570: security: fix security issue CVE-2017-13215

crypto: algif_skcipher - Load TX SG list after waiting commit 4f0414e upstream. We need to load the TX SG list in sendmsg(2) after waiting for incoming data, not before. [[email protected]: backport to 3.18, where the relevant logic is located in skcipher_recvmsg() rather than skcipher_recvmsg_sync()] Change-Id: I9b052bf18b691675e9f0221db2b015bcbc047e3f Reported-by: Dmitry Vyukov <[email protected]> Signed-off-by: Herbert Xu <[email protected]> Tested-by: Dmitry Vyukov <[email protected]> Signed-off-by: Connor O'Brien <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Ao Xu <[email protected]>
wrxtasy · Sep 15, 2018 · 160e5e6 · 160e5e6
1 parent 9972efb
commit 160e5e6
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
@@ -441,13 +441,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
 		char __user *from = iov->iov_base;
 
 		while (seglen) {
-			sgl = list_first_entry(&ctx->tsgl,
-					       struct skcipher_sg_list, list);
-			sg = sgl->sg;
-
-			while (!sg->length)
-				sg++;
-
 			used = ctx->used;
 			if (!used) {
 				err = skcipher_wait_for_data(sk, flags);
@@ -469,6 +462,13 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
 			if (!used)
 				goto free;
 
+			sgl = list_first_entry(&ctx->tsgl,
+					       struct skcipher_sg_list, list);
+			sg = sgl->sg;
+
+			while (!sg->length)
+				sg++;
+
 			ablkcipher_request_set_crypt(&ctx->req, sg,
 						     ctx->rsgl.sg, used,
 						     ctx->iv);