raspi/linux
1
0
Fork 1
mirror of https://github.com/raspberrypi/linux.git synced 2025-12-06 10:00:17 +00:00
Code Issues Projects Releases Wiki Activity

crypto: af_alg - Set merge to zero early in af_alg_sendmsg

Browse Source 
If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop.  This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.

Fix this by setting ctx->merge to zero near the start of the loop.

Fixes: 8ff590903d ("crypto: algif_skcipher - User-space interface for skcipher operations")
Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Herbert Xu
2025-09-16 15:42:41 +08:00
parent 46834d90a9
commit 9574b2330d
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
crypto/af_alg.c
View File

@@ -1019,6 +1019,8 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
continue; continue;
} }
ctx->merge = 0;
if (!af_alg_writable(sk)) { if (!af_alg_writable(sk)) {
err = af_alg_wait_for_wmem(sk, msg->msg_flags); err = af_alg_wait_for_wmem(sk, msg->msg_flags);
if (err) if (err)
@@ -1058,7 +1060,6 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size,
ctx->used += plen; ctx->used += plen;
copied += plen; copied += plen;
size -= plen; size -= plen;
ctx->merge = 0;
} else { } else {
do { do {
struct page *pg; struct page *pg;