commit 69313189397a2ff22a37d0db7c59406265a80b89
author Herbert Xu <herbert@gondor.apana.org.au> Mon Jan 18 18:46:10 2016 +0800
committer chrmhoffmann <chrmhoffmann@gmail.com> Sat Aug 04 10:48:41 2018 +0200
tree edea525973c26e2d9eb81be1a21c789ae76d41d3
parent 49ca11d5806a5104ee30a465d848e551feec8a28

crypto: algif_skcipher - Load TX SG list after waiting

commit 4f0414e54e4d1893c6f08260693f8ef84c929293 upstream.

We need to load the TX SG list in sendmsg(2) after waiting for
incoming data, not before.

[connoro@google.com: backport to 3.18, where the relevant logic is
located in skcipher_recvmsg() rather than skcipher_recvmsg_sync()]

Change-Id: I5feed88aaec9b985573078e1911a757e44406dfe
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Connor O'Brien <connoro@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CVE-2017-13215
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
(cherry picked from commit 053c5efbe69a1f03fc886f706cda7122b3d14a88)

crypto/algif_skcipher.c

diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
index 6a6dfc0..9e4854c 100644
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -438,13 +438,6 @@
 		char __user *from = iov->iov_base;
 
 		while (seglen) {
-			sgl = list_first_entry(&ctx->tsgl,
-					       struct skcipher_sg_list, list);
-			sg = sgl->sg;
-
-			while (!sg->length)
-				sg++;
-
 			used = ctx->used;
 			if (!used) {
 				err = skcipher_wait_for_data(sk, flags);
@@ -466,6 +459,13 @@
 			if (!used)
 				goto free;
 
+			sgl = list_first_entry(&ctx->tsgl,
+					       struct skcipher_sg_list, list);
+			sg = sgl->sg;
+
+			while (!sg->length)
+				sg++;
+
 			ablkcipher_request_set_crypt(&ctx->req, sg,
 						     ctx->rsgl.sg, used,
 						     ctx->iv);