From: Chengming Zhou zhouchengming@bytedance.com
stable inclusion from stable-v4.19.306 commit 1142d65c5b881590962ad763f94505b6dd67d2fe bugzilla: https://gitee.com/src-openeuler/kernel/issues/I99K14 CVE: CVE-2023-52612
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 744e1885922a9943458954cfea917b31064b4131 ]
The req->dst buffer size should be checked before copying from the scomp_scratch->dst to avoid req->dst buffer overflow problem.
Fixes: 1ab53a77b772 ("crypto: acomp - add driver-side scomp interface") Reported-by: syzbot+3eff5e51bf1db122a16e@syzkaller.appspotmail.com Closes: https://lore.kernel.org/all/0000000000000b05cd060d6b5511@google.com/ Signed-off-by: Chengming Zhou zhouchengming@bytedance.com Reviewed-by: Barry Song v-songbaohua@oppo.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Felix Fu fuzhen5@huawei.com --- crypto/scompress.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/crypto/scompress.c b/crypto/scompress.c index 3702f1648ea8..34174f55a6d6 100644 --- a/crypto/scompress.c +++ b/crypto/scompress.c @@ -132,6 +132,7 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) struct crypto_scomp *scomp = *tfm_ctx; void **ctx = acomp_request_ctx(req); struct scomp_scratch *scratch; + unsigned int dlen; int ret;
if (!req->src || !req->slen || req->slen > SCOMP_SCRATCH_SIZE) @@ -143,6 +144,8 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) if (!req->dlen || req->dlen > SCOMP_SCRATCH_SIZE) req->dlen = SCOMP_SCRATCH_SIZE;
+ dlen = req->dlen; + scratch = raw_cpu_ptr(&scomp_scratch); spin_lock(&scratch->lock);
@@ -160,6 +163,9 @@ static int scomp_acomp_comp_decomp(struct acomp_req *req, int dir) ret = -ENOMEM; goto out; } + } else if (req->dlen > dlen) { + ret = -ENOSPC; + goto out; } scatterwalk_map_and_copy(scratch->dst, req->dst, 0, req->dlen, 1);