[PATCH net-next] crypto: Fix af_alg_sendmsg(MSG_SPLICE_PAGES) sglist limit

From: David Howells
Date: Thu Jun 15 2023 - 17:09:59 EST

Next message: Conor Dooley: "Re: [PATCH v4 08/10] irqchip: Add RISC-V advanced PLIC driver"
Previous message: Thinh Nguyen: "Re: [PATCH v8 6/9] usb: dwc3: qcom: Add multiport controller support for qcom wrapper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When af_alg_sendmsg() calls extract_iter_to_sg(), it passes MAX_SGL_ENTS as
the maximum number of elements that may be written to, but some of the
elements may already have been used (as recorded in sgl->cur), so
extract_iter_to_sg() may end up overrunning the scatterlist.

Fix this to limit the number of elements to "MAX_SGL_ENTS - sgl->cur".

Note: It probably makes sense in future to alter the behaviour of
extract_iter_to_sg() to stop if "sgtable->nents >= sg_max" instead, but
this is a smaller fix for now.

The bug causes errors looking something like:

BUG: KASAN: slab-out-of-bounds in sg_assign_page include/linux/scatterlist.h:109 [inline]
BUG: KASAN: slab-out-of-bounds in sg_set_page include/linux/scatterlist.h:139 [inline]
BUG: KASAN: slab-out-of-bounds in extract_bvec_to_sg lib/scatterlist.c:1183 [inline]
BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg lib/scatterlist.c:1352 [inline]
BUG: KASAN: slab-out-of-bounds in extract_iter_to_sg+0x17a6/0x1960 lib/scatterlist.c:1339

Fixes: bf63e250c4b1 ("crypto: af_alg: Support MSG_SPLICE_PAGES")
Reported-by: syzbot+6efc50cc1f8d718d6cb7@xxxxxxxxxxxxxxxxxxxxxxxxx
Link: https://lore.kernel.org/r/000000000000b2585a05fdeb8379@xxxxxxxxxx/
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Tested-by: syzbot+6efc50cc1f8d718d6cb7@xxxxxxxxxxxxxxxxxxxxxxxxx
cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
cc: Eric Dumazet <edumazet@xxxxxxxxxx>
cc: Jakub Kicinski <kuba@xxxxxxxxxx>
cc: Paolo Abeni <pabeni@xxxxxxxxxx>
cc: Jens Axboe <axboe@xxxxxxxxx>
cc: Matthew Wilcox <willy@xxxxxxxxxxxxx>
cc: linux-crypto@xxxxxxxxxxxxxxx
cc: netdev@xxxxxxxxxxxxxxx
---
crypto/af_alg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 7d4b6016b83d..cdb1dcc5dd1a 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -1043,7 +1043,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
};

plen = extract_iter_to_sg(&msg->msg_iter, len, &sgtable,
- MAX_SGL_ENTS, 0);
+ MAX_SGL_ENTS - sgl->cur, 0);
if (plen < 0) {
err = plen;
goto unlock;

Next message: Conor Dooley: "Re: [PATCH v4 08/10] irqchip: Add RISC-V advanced PLIC driver"
Previous message: Thinh Nguyen: "Re: [PATCH v8 6/9] usb: dwc3: qcom: Add multiport controller support for qcom wrapper"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]