diff options
| author | Cong Wang <cong.wang@bytedance.com> | 2020-12-27 03:50:20 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-02-13 15:51:14 +0300 |
| commit | fac13c1dd417f7d117c28d4929175c3b05820234 (patch) | |
| tree | fd7a1bfd539864bf858b6e0211fbd02512941c78 /drivers/regulator | |
| parent | 4f12385298d474541a794f4c47980861299f20e7 (diff) | |
| download | linux-fac13c1dd417f7d117c28d4929175c3b05820234.tar.xz | |
af_key: relax availability checks for skb size calculation
[ Upstream commit afbc293add6466f8f3f0c3d944d85f53709c170f ]
xfrm_probe_algs() probes kernel crypto modules and changes the
availability of struct xfrm_algo_desc. But there is a small window
where ealg->available and aalg->available get changed between
count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
in this case we may allocate a smaller skb but later put a larger
amount of data and trigger the panic in skb_put().
Fix this by relaxing the checks when counting the size, that is,
skipping the test of ->available. We may waste some memory for a few
of sizeof(struct sadb_comb), but it is still much better than a panic.
Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/regulator')
0 files changed, 0 insertions, 0 deletions