From 83c2104a99da69885da1381ab3eeabb04467c7fc Mon Sep 17 00:00:00 2001
From: Herbert Xu <20160318144240.GA20816@gondor.apana.org.au>
Date: Fri, 18 Mar 2016 02:42:00 +0900
Subject: [PATCH] gcm - Fix rfc4543 decryption crash

Orabug: 25243093

This bug has already bee fixed upstream since 4.2.  However, it
was fixed during the AEAD conversion so no fix was backported to
the older kernels.

When we do an RFC 4543 decryption, we will end up writing the
ICV beyond the end of the dst buffer.  This should lead to a
crash but for some reason it was never noticed.

This patch fixes it by only writing back the ICV for encryption.

Fixes: d733ac90f9fe ("crypto: gcm - fix rfc4543 to handle async...")
Reported-by: Patrick Meyer <patrick.meyer@vasgard.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Ethan Zhao <ethan.zhao@oracle.com>
---
 crypto/gcm.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/gcm.c b/crypto/gcm.c
index b56200eff029..33adbc4a4b51 100644
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -1173,6 +1173,9 @@ static struct aead_request *crypto_rfc4543_crypt(struct aead_request *req,
 	aead_request_set_tfm(subreq, ctx->child);
 	aead_request_set_callback(subreq, req->base.flags, crypto_rfc4543_done,
 				  req);
+	if (!enc)
+		aead_request_set_callback(subreq, req->base.flags,
+						req->base.complete, req->base.data);
 	aead_request_set_crypt(subreq, cipher, cipher, enc ? 0 : authsize, iv);
 	aead_request_set_assoc(subreq, assoc, assoclen);
 
-- 
2.50.1