From: Eric Biggers <ebiggers@google.com>

Date: Tue, 9 Apr 2019 23:46:32 -0700

Subject: crypto: arm64/aes-neonbs - don't access already-freed walk.iv

Git-commit: 4a8108b70508df0b6c4ffa4a3974dab93dcbe851

Patch-mainline: v5.2-rc1

References: git-fixes

If the user-provided IV needs to be aligned to the algorithm's

alignmask, then skcipher_walk_virt() copies the IV into a new aligned

buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then

if the caller unconditionally accesses walk.iv, it's a use-after-free.

xts-aes-neonbs doesn't set an alignmask, so currently it isn't affected

by this despite unconditionally accessing walk.iv.  However this is more

subtle than desired, and unconditionally accessing walk.iv has caused a

real problem in other algorithms.  Thus, update xts-aes-neonbs to start

checking the return value of skcipher_walk_virt().

Fixes: 1abee99eafab ("crypto: arm64/aes - reimplement bit-sliced ARM/NEON implementation for arm64")

Cc: <stable@vger.kernel.org> # v4.11+

Signed-off-by: Eric Biggers <ebiggers@google.com>

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Acked-by: Ivan T. Ivanov <iivanov@suse.de>

---

 arch/arm64/crypto/aes-neonbs-glue.c |    2 ++

 1 file changed, 2 insertions(+)

--- a/arch/arm64/crypto/aes-neonbs-glue.c

+++ b/arch/arm64/crypto/aes-neonbs-glue.c

@@ -307,6 +307,8 @@ static int __xts_crypt(struct skcipher_r

 	int err;

 	err = skcipher_walk_virt(&walk, req, true);

+	if (err)

+		return err;

 	kernel_neon_begin();