On Tue, Apr 07, 2020 at 06:58:45PM +0300, Iuliana Prodan wrote: > For skcipher algorithms, the input, output HW S/G tables > look like this: [IV, src][dst, IV] > Now, we can have 2 conditions here: > - there is no IV; > - src and dst are equal (in-place encryption) and scattered > and the error is an "off-by-one" in the HW S/G table. > > This issue was seen with KASAN: > BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018 > > Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321 > > CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted > 5.6.0-rc1-00165-ge4ef8383-dirty #4 > Hardware name: LS1046A RDB Board (DT) > Call trace: > dump_backtrace+0x0/0x260 > show_stack+0x14/0x20 > dump_stack+0xe8/0x144 > print_address_description.isra.11+0x64/0x348 > __kasan_report+0x11c/0x230 > kasan_report+0xc/0x18 > __asan_load4+0x90/0xb0 > skcipher_edesc_alloc+0x95c/0x1018 > skcipher_encrypt+0x84/0x150 > crypto_skcipher_encrypt+0x50/0x68 > test_skcipher_vec_cfg+0x4d4/0xc10 > test_skcipher_vec+0x178/0x1d8 > alg_test_skcipher+0xec/0x230 > alg_test.part.44+0x114/0x4a0 > alg_test+0x1c/0x60 > cryptomgr_test+0x34/0x58 > kthread+0x1b8/0x1c0 > ret_from_fork+0x10/0x18 > > Allocated by task 321: > save_stack+0x24/0xb0 > __kasan_kmalloc.isra.10+0xc4/0xe0 > kasan_kmalloc+0xc/0x18 > __kmalloc+0x178/0x2b8 > skcipher_edesc_alloc+0x21c/0x1018 > skcipher_encrypt+0x84/0x150 > crypto_skcipher_encrypt+0x50/0x68 > test_skcipher_vec_cfg+0x4d4/0xc10 > test_skcipher_vec+0x178/0x1d8 > alg_test_skcipher+0xec/0x230 > alg_test.part.44+0x114/0x4a0 > alg_test+0x1c/0x60 > cryptomgr_test+0x34/0x58 > kthread+0x1b8/0x1c0 > ret_from_fork+0x10/0x18 > > Freed by task 0: > (stack is not available) > > The buggy address belongs to the object at ffff000022a02800 > which belongs to the cache dma-kmalloc-512 of size 512 > The buggy address is located 344 bytes inside of > 512-byte region [ffff000022a02800, ffff000022a02a00) > The buggy address belongs to the page: > page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400 > index:0x0 compound_mapcount: 0 > flags: 0xffff00000010200(slab|head) > raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400 > raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > >ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc > ^ > ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support") > Cc: <stable@xxxxxxxxxxxxxxx> # v5.3+ > Signed-off-by: Iuliana Prodan <iuliana.prodan@xxxxxxx> > --- > drivers/crypto/caam/caamalg.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt