crypto: testmgr - don't copy from source IV too much

Orabug: 25243093

While the destination buffer 'iv' is MAX_IVLEN size,
the source 'template[i].iv' could be smaller, thus
memcpy may read read invalid memory.
Use crypto_skcipher_ivsize() to get real ivsize
and pass it to memcpy.

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 84cba178a3b88efe2668a9039f70abda072faa21)
Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 09c06e7e085000ef1248580748fb5d926a362389..b852d9bd24d4ae1eb5e4af4932bca847ff56f1b0 100644 (file)
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -923,6 +923,7 @@ static int __test_skcipher(struct crypto_ablkcipher *tfm, int enc,
        char *xbuf[XBUFSIZE];
        char *xoutbuf[XBUFSIZE];
        int ret = -ENOMEM;
+       unsigned int ivsize = crypto_ablkcipher_ivsize(tfm);
 
        if (testmgr_alloc_buf(xbuf))
                goto out_nobuf;
@@ -958,7 +959,7 @@ static int __test_skcipher(struct crypto_ablkcipher *tfm, int enc,
                        continue;
 
                if (template[i].iv)
-                       memcpy(iv, template[i].iv, MAX_IVLEN);
+                       memcpy(iv, template[i].iv, ivsize);
                else
                        memset(iv, 0, MAX_IVLEN);
 
@@ -1033,7 +1034,7 @@ static int __test_skcipher(struct crypto_ablkcipher *tfm, int enc,
                        continue;
 
                if (template[i].iv)
-                       memcpy(iv, template[i].iv, MAX_IVLEN);
+                       memcpy(iv, template[i].iv, ivsize);
                else
                        memset(iv, 0, MAX_IVLEN);