Re: [PATCH] crypto: caam - fix the address of the last entry of S/G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 07, 2020 at 06:58:45PM +0300, Iuliana Prodan wrote:
> For skcipher algorithms, the input, output HW S/G tables
> look like this: [IV, src][dst, IV]
> Now, we can have 2 conditions here:
> - there is no IV;
> - src and dst are equal (in-place encryption) and scattered
> and the error is an "off-by-one" in the HW S/G table.
> 
> This issue was seen with KASAN:
> BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018
> 
> Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321
> 
> CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted
> 5.6.0-rc1-00165-ge4ef8383-dirty #4
> Hardware name: LS1046A RDB Board (DT)
> Call trace:
>  dump_backtrace+0x0/0x260
>  show_stack+0x14/0x20
>  dump_stack+0xe8/0x144
>  print_address_description.isra.11+0x64/0x348
>  __kasan_report+0x11c/0x230
>  kasan_report+0xc/0x18
>  __asan_load4+0x90/0xb0
>  skcipher_edesc_alloc+0x95c/0x1018
>  skcipher_encrypt+0x84/0x150
>  crypto_skcipher_encrypt+0x50/0x68
>  test_skcipher_vec_cfg+0x4d4/0xc10
>  test_skcipher_vec+0x178/0x1d8
>  alg_test_skcipher+0xec/0x230
>  alg_test.part.44+0x114/0x4a0
>  alg_test+0x1c/0x60
>  cryptomgr_test+0x34/0x58
>  kthread+0x1b8/0x1c0
>  ret_from_fork+0x10/0x18
> 
> Allocated by task 321:
>  save_stack+0x24/0xb0
>  __kasan_kmalloc.isra.10+0xc4/0xe0
>  kasan_kmalloc+0xc/0x18
>  __kmalloc+0x178/0x2b8
>  skcipher_edesc_alloc+0x21c/0x1018
>  skcipher_encrypt+0x84/0x150
>  crypto_skcipher_encrypt+0x50/0x68
>  test_skcipher_vec_cfg+0x4d4/0xc10
>  test_skcipher_vec+0x178/0x1d8
>  alg_test_skcipher+0xec/0x230
>  alg_test.part.44+0x114/0x4a0
>  alg_test+0x1c/0x60
>  cryptomgr_test+0x34/0x58
>  kthread+0x1b8/0x1c0
>  ret_from_fork+0x10/0x18
> 
> Freed by task 0:
> (stack is not available)
> 
> The buggy address belongs to the object at ffff000022a02800
>  which belongs to the cache dma-kmalloc-512 of size 512
> The buggy address is located 344 bytes inside of
>  512-byte region [ffff000022a02800, ffff000022a02a00)
> The buggy address belongs to the page:
> page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400
> index:0x0 compound_mapcount: 0
> flags: 0xffff00000010200(slab|head)
> raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
> raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> 
> Memory state around the buggy address:
>  ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>                                                     ^
>  ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> 
> Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.3+
> Signed-off-by: Iuliana Prodan <iuliana.prodan@xxxxxxx>
> ---
>  drivers/crypto/caam/caamalg.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux