[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1220921.1687246935@warthog.procyon.org.uk>
Date: Tue, 20 Jun 2023 08:42:15 +0100
From: David Howells <dhowells@...hat.com>
To: Herbert Xu <herbert@...dor.apana.org.au>
Cc: dhowells@...hat.com, netdev@...r.kernel.org,
syzbot+13a08c0bf4d212766c3c@...kaller.appspotmail.com,
syzbot+14234ccf6d0ef629ec1a@...kaller.appspotmail.com,
syzbot+4e2e47f32607d0f72d43@...kaller.appspotmail.com,
syzbot+472626bb5e7c59fb768f@...kaller.appspotmail.com,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Jens Axboe <axboe@...nel.dk>,
Matthew Wilcox <willy@...radead.org>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next v2] crypto: af_alg/hash: Fix recvmsg() after sendmsg(MSG_MORE)
Herbert Xu <herbert@...dor.apana.org.au> wrote:
> > + hash_free_result(sk, ctx);
>
> Please revert this change as I explained in the other message.
>
> > + if (!msg_data_left(msg))
> > + goto done; /* Zero-length; don't start new req */
>
> This is still broken in the case of a zero-length message with
> MSG_MORE set. Here you will short-circuit out without ever calling
> crypto_ahash_init. However, hash_recvmsg will directly call
> crypto_ahash_final on this, which is undefined.
Not so. hash_recvmsg() will call crypto_ahash_init() first because ctx->more
is false (hence why we came down this branch in hash_sendmsg()) and the result
was released on the previous line (which you're objecting to). If it goes to
the "done" label, it will skip setting ctx->more to true if MSG_MORE is
passed.
However, given you want sendmsg() to do the init->digest cycle on zero length
data, I think we should revert to the previous version of the patch that makes
a pass of the loop even with no data.
David
Powered by blists - more mailing lists