Hello
I have a problem when using a simple md5 tfm.
When I use the data that ahash_request_ctx() give me, it will cause random crash when removing the module later.
I do not understand it, because .cra_ctxsize seems to be rightly used.
The very simplified POC code will follow, it register a fake md5 implementation.
If I remove the op->mode = 0, I can modprobe/rmmod for ever without problem.
With it, rmmod will segfault in 2 or 3 tries, so it is this write that is the source of the problem.
I have try to debug, but I cannot find where __ctx (the pointer returned by ahash_request_ctx) is allocated.
Does I am right when saying: ahash_request_ctx() return the pointer to a structure of size equal to cra_ctxsize allocated for each request ?
Thanks in advance
Best regards
#include <linux/clk.h>
#include <linux/crypto.h>
#include <linux/io.h>
#include <linux/module.h>
#include <linux/of.h>
#include <linux/platform_device.h>
#include <crypto/scatterwalk.h>
#include <linux/scatterlist.h>
#include <linux/interrupt.h>
#include <linux/delay.h>
#include <crypto/md5.h>
#include <crypto/sha.h>
#include <crypto/hash.h>
#include <crypto/internal/hash.h>
struct sunxi_req_ctx {
u8 key[32 * 8];
u32 keylen;
u32 mode;
u64 byte_count;
u32 waitbuf;
unsigned int nbwait;
};
int fake_init(struct ahash_request *areq) {
struct sunxi_req_ctx *op = ahash_request_ctx(areq);
/* this is the location of action that cause the crash */
op->mode = 0;
op->nbwait = 0;
return 0;
}
int fake_update(struct ahash_request *areq) {
return 0;
}
int fake_final(struct ahash_request *areq) {
return 0;
}
int fake_finup(struct ahash_request *areq) {
fake_init(areq);
return 0;
}
int fake_digest(struct ahash_request *areq) {
fake_init(areq);
return 0;
}
static struct ahash_alg sunxi_md5_alg = {
.init = fake_init,
.update = fake_update,
.final = fake_final,
.finup = fake_finup,
.digest = fake_digest,
.halg = {
.digestsize = MD5_DIGEST_SIZE,
.base = {
.cra_name = "md5",
.cra_driver_name = "md5-sunxi-ss",
.cra_priority = 300,
.cra_alignmask = 3,
.cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_ASYNC,
.cra_blocksize = MD5_HMAC_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct sunxi_req_ctx),
.cra_module = THIS_MODULE,
.cra_type = &crypto_ahash_type
}
}
};
static int sunxi_ss_md5_init(void)
{
int err = 0;
err = crypto_register_ahash(&sunxi_md5_alg);
if (err)
pr_err("crypto_register_alg error for MD5\n");
else
pr_info("Registred MD5\n");
return err;
}
static void __exit sunxi_ss_md5_exit(void)
{
crypto_unregister_ahash(&sunxi_md5_alg);
}
module_init(sunxi_ss_md5_init);
module_exit(sunxi_ss_md5_exit);
MODULE_DESCRIPTION("test MD5 module");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Corentin LABBE <clabbe.montjoie@xxxxxxxxx>");
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
