Re: [RFC v3] crypto: ccree - protect against short scatterlists

From: Eric Biggers
Date: Mon Jan 27 2020 - 21:56:01 EST


On Mon, Jan 27, 2020 at 05:08:21PM +0200, Gilad Ben-Yossef wrote:
> Deal gracefully with the event of being handed a scatterlist
> which is shorter than expected.
>
> This mitigates a crash in some cases due to
> attempt to map empty (but not NULL) scatterlists with none
> zero lengths.
>
> Signed-off-by: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx>
> Reported-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>

It's definitely wrong use of the crypto API to pass a scatterlist that's too
short. Note that this is *not* what the test code is doing.

So I don't think you should be hacking around it here.

It is possible the bug is actually in cc_aead_chain_data()? It looks like it's
adding the authentication tag size to the source data size for encryption, which
is not correct. The authentication tag is part of the destination only.

size_for_map += (direct == DRV_CRYPTO_DIRECTION_ENCRYPT) ?
authsize : 0;
src_mapped_nents = cc_get_sgl_nents(dev, req->src, size_for_map,
&src_last_bytes);

- Eric