the drbg code was binding the same buffer to two different scatter gather lists and submitting those as source and destination to a crypto api operation, thus potentially causing HW crypto drivers to perform overlapping DMA mappings which are not aware it is the same buffer.
This can have serious consequences of data corruption of internal DRBG buffers and wrong RNG output.
Fix this by reusing the same scatter gatther list for both src and dst.
Signed-off-by: Gilad Ben-Yossef gilad@benyossef.com Reported-by: Corentin Labbe clabbe.montjoie@gmail.com Tested-by: Corentin Labbe clabbe.montjoie@gmail.com Tested-on: r8a7795-salvator-x Tested-on: xilinx-zc706 Fixes: 43490e8046b5d ("crypto: drbg - in-place cipher operation for CTR") Cc: stable@vger.kernel.org --- crypto/drbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/drbg.c b/crypto/drbg.c index 177983b6ae38..13824fd27627 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c @@ -1851,7 +1851,7 @@ static int drbg_kcapi_sym_ctr(struct drbg_state *drbg, /* Use scratchpad for in-place operation */ inlen = scratchpad_use; memset(drbg->outscratchpad, 0, scratchpad_use); - sg_set_buf(sg_in, drbg->outscratchpad, scratchpad_use); + sg_in = sg_out; }
while (outlen) {