• Eric Biggers's avatar
    crypto: skcipher - don't WARN on unprocessed data after slow walk step · d418ee2c
    Eric Biggers authored
    commit dcaca01a42cc2c425154a13412b4124293a6e11e upstream.
    skcipher_walk_done() assumes it's a bug if, after the "slow" path is
    executed where the next chunk of data is processed via a bounce buffer,
    the algorithm says it didn't process all bytes.  Thus it WARNs on this.
    However, this can happen legitimately when the message needs to be
    evenly divisible into "blocks" but isn't, and the algorithm has a
    'walksize' greater than the block size.  For example, ecb-aes-neonbs
    sets 'walksize' to 128 bytes and only supports messages evenly divisible
    into 16-byte blocks.  If, say, 17 message bytes remain but they straddle
    scatterlist elements, the skcipher_walk code will take the "slow" path
    and pass the algorithm all 17 bytes in the bounce buffer.  But the
    algorithm will only be able to process 16 bytes, triggering the WARN.
    Fix this by just removing the WARN_ON().  Returning -EINVAL, as the code
    already does, is the right behavior.
    This bug was detected by my patches that improve testmgr to fuzz
    algorithms against their generic implementation.
    Fixes: b286d8b1 ("crypto: skcipher - Add skcipher walk interface")
    Cc: <stable@vger.kernel.org> # v4.10+
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
skcipher.c 26.2 KB