From: Ondrej Mosnacek omosnace@redhat.com
stable inclusion from stable-v4.19.245 commit 71a89789552b7faf3ef27969b9bc783fa0df3550 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I963KI CVE: CVE-2022-48629
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit 16287397ec5c08aa58db6acf7dbc55470d78087d upstream.
The commit referenced in the Fixes tag removed the 'break' from the else branch in qcom_rng_read(), causing an infinite loop whenever 'max' is not a multiple of WORD_SZ. This can be reproduced e.g. by running:
kcapi-rng -b 67 >/dev/null
There are many ways to fix this without adding back the 'break', but they all seem more awkward than simply adding it back, so do just that.
Tested on a machine with Qualcomm Amberwing processor.
Fixes: a680b1832ced ("crypto: qcom-rng - ensure buffer for generate is completely filled") Cc: stable@vger.kernel.org Signed-off-by: Ondrej Mosnacek omosnace@redhat.com Reviewed-by: Brian Masney bmasney@redhat.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: GUO Zihua guozihua@huawei.com --- drivers/crypto/qcom-rng.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/qcom-rng.c b/drivers/crypto/qcom-rng.c index e41ca58bf7b6..818e3e9479fe 100644 --- a/drivers/crypto/qcom-rng.c +++ b/drivers/crypto/qcom-rng.c @@ -64,6 +64,7 @@ static int qcom_rng_read(struct qcom_rng *rng, u8 *data, unsigned int max) } else { /* copy only remaining bytes */ memcpy(data, &val, max - currsize); + break; } } while (currsize < max);