On Mon, Feb 06, 2023 at 11:10:08PM -0800, Jakub Kicinski wrote: > On Mon, 6 Feb 2023 18:21:06 +0800 Herbert Xu wrote: > > The crypto completion function currently takes a pointer to a > > struct crypto_async_request object. However, in reality the API > > does not allow the use of any part of the object apart from the > > data field. For example, ahash/shash will create a fake object > > on the stack to pass along a different data field. > > "different data field" == copy the value to a different structure? > A bit hard to parse TBH. The word data here refers to the data field in struct crypto_async_request. > Buggy means bug could be hit in real light or buggy == did not use > the API right? Yes this bug is real. If you hit a driver/algorithm that returns a different request object (of which there are many in the API) then you will be dereferencing random pointers. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
