Commit eff84b37 authored by Eric Biggers's avatar Eric Biggers Committed by Herbert Xu

crypto: sha512-mb - initialize pending lengths correctly

The SHA-512 multibuffer code keeps track of the number of blocks pending
in each lane.  The minimum of these values is used to identify the next
lane that will be completed.  Unused lanes are set to a large number
(0xFFFFFFFF) so that they don't affect this calculation.

However, it was forgotten to set the lengths to this value in the
initial state, where all lanes are unused.  As a result it was possible
for sha512_mb_mgr_get_comp_job_avx2() to select an unused lane, causing
a NULL pointer dereference.  Specifically this could happen in the case
where ->update() was passed fewer than SHA512_BLOCK_SIZE bytes of data,
so it then called sha_complete_job() without having actually submitted
any blocks to the multi-buffer code.  This hit a NULL pointer
dereference if another task happened to have submitted blocks
concurrently to the same CPU and the flush timer had not yet expired.

Fix this by initializing sha512_mb_mgr->lens correctly.

As usual, this bug was found by syzkaller.

Fixes: 45691e2d ("crypto: sha512-mb - submit/flush routines for AVX2")
Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent 2d55807b
...@@ -57,10 +57,12 @@ void sha512_mb_mgr_init_avx2(struct sha512_mb_mgr *state) ...@@ -57,10 +57,12 @@ void sha512_mb_mgr_init_avx2(struct sha512_mb_mgr *state)
{ {
unsigned int j; unsigned int j;
state->lens[0] = 0; /* initially all lanes are unused */
state->lens[1] = 1; state->lens[0] = 0xFFFFFFFF00000000;
state->lens[2] = 2; state->lens[1] = 0xFFFFFFFF00000001;
state->lens[3] = 3; state->lens[2] = 0xFFFFFFFF00000002;
state->lens[3] = 0xFFFFFFFF00000003;
state->unused_lanes = 0xFF03020100; state->unused_lanes = 0xFF03020100;
for (j = 0; j < 4; j++) for (j = 0; j < 4; j++)
state->ldata[j].job_in_lane = NULL; state->ldata[j].job_in_lane = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment