mirror of
https://git.proxmox.com/git/mirror_zfs.git
synced 2024-12-25 18:59:33 +03:00
ICP: Fix out of bounds write
If gcm_mode_encrypt_contiguous_blocks() is called more than once in succession, with the accumulated lengths being less than blocksize, ctx->copy_to will be incorrectly advanced. Later, if out is NULL, the bcopy at line 114 will overflow ctx->gcm_copy_to since ctx->gcm_remainder_len is larger than the ctx->gcm_copy_to buffer can hold. The fix is to set ctx->copy_to only if it's not already set. For ZoL the issue may be academic, since in all my testing I wasn't able to hit neither of both conditions needed to trigger it, but other consumers can easily do so. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Tom Caputi <tcaputi@datto.com> Signed-off-by: Attila Fülöp <attila@fueloep.org> Closes #9660
This commit is contained in:
parent
f784828416
commit
3ac34ca375
@ -67,7 +67,9 @@ gcm_mode_encrypt_contiguous_blocks(gcm_ctx_t *ctx, char *data, size_t length,
|
||||
(uint8_t *)ctx->gcm_remainder + ctx->gcm_remainder_len,
|
||||
length);
|
||||
ctx->gcm_remainder_len += length;
|
||||
ctx->gcm_copy_to = datap;
|
||||
if (ctx->gcm_copy_to == NULL) {
|
||||
ctx->gcm_copy_to = datap;
|
||||
}
|
||||
return (CRYPTO_SUCCESS);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user