[2.6.20.21 review 29/35] crypto: blkcipher_get_spot() handling of buffer at end of page

From: Willy Tarreau
Date: Sat Oct 13 2007 - 10:52:09 EST

Next message: Willy Tarreau: "[2.6.20.21 review 31/35] Fix IPV6 append OOPS."
Previous message: Willy Tarreau: "[2.6.20.21 review 27/35] ieee1394: ohci1394: fix initialization if built non-modular"
In reply to: Willy Tarreau: "[2.6.20.21 review 27/35] ieee1394: ohci1394: fix initialization if built non-modular"
Next in thread: Willy Tarreau: "[2.6.20.21 review 31/35] Fix IPV6 append OOPS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This corresponds to upstream changesets
e4630f9fd8cdc14eb1caa08dafe649eb5ae09985 and
32528d0fbda1093eeeaa7d0a2c498bbb5154099d.

[CRYPTO] blkcipher: Fix handling of kmalloc page straddling

The function blkcipher_get_spot tries to return a buffer of
the specified length that does not straddle a page. It has
an off-by-one bug so it may advance a page unnecessarily.

What's worse, one of its callers doesn't provide a buffer
that's sufficiently long for this operation.

This patch fixes both problems. Thanks to Bob Gilligan for
diagnosing this problem and providing a fix.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
crypto/blkcipher.c | 11 +++++++----
1 files changed, 7 insertions(+), 4 deletions(-)

Index: 2.6/crypto/blkcipher.c
===================================================================
--- 2.6.orig/crypto/blkcipher.c
+++ 2.6/crypto/blkcipher.c
@@ -58,11 +58,13 @@ static inline void blkcipher_unmap_dst(s
scatterwalk_unmap(walk->dst.virt.addr, 1);
}

+/* Get a spot of the specified length that does not straddle a page.
+ * The caller needs to ensure that there is enough space for this operation.
+ */
static inline u8 *blkcipher_get_spot(u8 *start, unsigned int len)
{
- if (offset_in_page(start + len) < len)
- return (u8 *)((unsigned long)(start + len) & PAGE_MASK);
- return start;
+ u8 *end_page = (u8 *)(((unsigned long)(start + len - 1)) & PAGE_MASK);
+ return start > end_page ? start : end_page;
}

static inline unsigned int blkcipher_done_slow(struct crypto_blkcipher *tfm,
@@ -154,7 +156,8 @@ static inline int blkcipher_next_slow(st
if (walk->buffer)
goto ok;

- n = bsize * 2 + (alignmask & ~(crypto_tfm_ctx_alignment() - 1));
+ n = bsize * 3 - (alignmask + 1) +
+ (alignmask & ~(crypto_tfm_ctx_alignment() - 1));
walk->buffer = kmalloc(n, GFP_ATOMIC);
if (!walk->buffer)
return blkcipher_walk_done(desc, walk, -ENOMEM);

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy Tarreau: "[2.6.20.21 review 31/35] Fix IPV6 append OOPS."
Previous message: Willy Tarreau: "[2.6.20.21 review 27/35] ieee1394: ohci1394: fix initialization if built non-modular"
In reply to: Willy Tarreau: "[2.6.20.21 review 27/35] ieee1394: ohci1394: fix initialization if built non-modular"
Next in thread: Willy Tarreau: "[2.6.20.21 review 31/35] Fix IPV6 append OOPS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]