From: Boris Brezillon <boris.brezillon@free-electrons.com>
To: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Arnaud Ebalard <arno@natisbad.org>,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
Jason Cooper <jason@lakedaemon.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v3 3/5] crypto: marvell: initialise struct mv_cesa_ahash_req
Date: Fri, 9 Oct 2015 21:50:18 +0200 [thread overview]
Message-ID: <20151009215018.344b4f70@bbrezillon> (raw)
In-Reply-To: <E1ZkdZv-0005If-QE@rmk-PC.arm.linux.org.uk>
Hi Russel,
On Fri, 09 Oct 2015 20:43:43 +0100
Russell King <rmk+kernel@arm.linux.org.uk> wrote:
> When a AF_ALG fd is accepted a second time (hence hash_accept() is
> used), hash_accept_parent() allocates a new private context using
> sock_kmalloc(). This context is uninitialised. After use of the new
> fd, we eventually end up with the kernel complaining:
>
> marvell-cesa f1090000.crypto: dma_pool_free cesa_padding, c0627770/0 (bad dma)
>
> where c0627770 is a random address. Poisoning the memory allocated by
> the above sock_kmalloc() produces kernel oopses within the marvell hash
> code, particularly the interrupt handling.
>
> The following simplfied call sequence occurs:
>
> hash_accept()
> crypto_ahash_export()
> marvell hash export function
> af_alg_accept()
> hash_accept_parent() <== allocates uninitialised struct hash_ctx
> crypto_ahash_import()
> marvell hash import function
>
> hash_ctx contains the struct mv_cesa_ahash_req in its req.__ctx member,
> and, as the marvell hash import function only partially initialises
> this structure, we end up with a lot of members which are left with
> whatever data was in memory prior to sock_kmalloc().
>
> Add zero-initialisation of this structure.
Maybe you should also change your commit message since this patch no
longer initializes the req struct to zero, otherwise
Acked-by: Boris Brezillon <boris.brezillon@free-electronc.com>
>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> ---
> drivers/crypto/marvell/hash.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
> index a259aced3b42..458867ce9515 100644
> --- a/drivers/crypto/marvell/hash.c
> +++ b/drivers/crypto/marvell/hash.c
> @@ -831,6 +831,10 @@ static int mv_cesa_md5_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->byte_count;
> memcpy(creq->state, in_state->hash, digsize);
> creq->cache_ptr = 0;
> @@ -921,6 +925,10 @@ static int mv_cesa_sha1_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->count;
> memcpy(creq->state, in_state->state, digsize);
> creq->cache_ptr = 0;
> @@ -1022,6 +1030,10 @@ static int mv_cesa_sha256_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->count;
> memcpy(creq->state, in_state->state, digsize);
> creq->cache_ptr = 0;
--
Boris Brezillon, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
next prev parent reply other threads:[~2015-10-09 19:50 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-09 10:29 [PATCH 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:29 ` [PATCH 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:34 ` Herbert Xu
2015-10-09 10:41 ` Russell King - ARM Linux
2015-10-09 10:42 ` Herbert Xu
2015-10-09 10:29 ` [PATCH 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 10:29 ` [PATCH 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 10:46 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:48 ` [PATCH v2 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:48 ` [PATCH v2 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 16:13 ` Boris Brezillon
2015-10-09 10:48 ` [PATCH v2 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 16:15 ` Boris Brezillon
2015-10-09 12:42 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 16:12 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 0/5] " Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 1/5] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-10 16:46 ` Boris Brezillon
2015-10-10 16:52 ` Russell King - ARM Linux
2015-10-11 6:59 ` Herbert Xu
2015-10-11 6:57 ` Herbert Xu
2015-10-13 14:33 ` Herbert Xu
2015-10-15 9:39 ` Russell King - ARM Linux
2015-10-15 9:41 ` Herbert Xu
2015-10-15 12:59 ` Russell King - ARM Linux
2015-10-15 13:13 ` Herbert Xu
2015-10-16 23:24 ` Victoria Milhoan
2015-10-17 7:56 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 2/5] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 19:43 ` [PATCH v3 3/5] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 19:50 ` Boris Brezillon [this message]
2015-10-09 19:52 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 4/5] crypto: marvell: fix wrong hash results Russell King
2015-10-09 19:51 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 5/5] crypto: marvell: factor out common import functions Russell King
2015-10-09 19:55 ` Boris Brezillon
2015-10-09 20:14 ` [PATCH v3b 5/5] crypto: marvell: factor out common import/export functions Russell King
2015-10-09 20:19 ` Boris Brezillon
2015-10-09 22:37 ` Arnaud Ebalard
2015-10-09 23:51 ` Russell King - ARM Linux
2015-10-10 10:31 ` Arnaud Ebalard
2015-10-10 11:29 ` Russell King - ARM Linux
2015-10-10 16:17 ` Russell King - ARM Linux
2015-10-11 6:55 ` Herbert Xu
2015-10-13 13:00 ` Herbert Xu
2015-10-13 13:55 ` Russell King - ARM Linux
2015-10-13 13:57 ` Herbert Xu
2015-10-13 13:59 ` Russell King - ARM Linux
2015-10-13 14:01 ` Herbert Xu
2015-10-10 18:07 ` Marek Vasut
2015-10-09 19:57 ` [PATCH v3 0/5] crypto: fixes for Marvell hash Boris Brezillon
2015-10-18 16:16 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Russell King - ARM Linux
2015-10-18 16:23 ` [PATCH 01/18] crypto: marvell: easier way to get the transform Russell King
2015-10-19 1:37 ` crypto: ahash - Add crypto_ahash_blocksize Herbert Xu
2015-10-18 16:23 ` [PATCH 02/18] crypto: marvell: keep creq->state in CPU endian format at all times Russell King
2015-10-18 16:23 ` [PATCH 03/18] crypto: marvell: add flag to determine algorithm endianness Russell King
2015-10-19 15:04 ` Jason Cooper
2015-10-19 15:25 ` Russell King - ARM Linux
2015-10-19 16:15 ` Jason Cooper
2015-10-19 16:18 ` Herbert Xu
2015-10-18 16:23 ` [PATCH 04/18] crypto: marvell: fix the bit length endianness Russell King
2015-10-18 16:23 ` [PATCH 05/18] crypto: marvell: ensure template operation is initialised Russell King
2015-10-18 16:23 ` [PATCH 06/18] crypto: marvell: const-ify argument to mv_cesa_get_op_cfg() Russell King
2015-10-18 16:24 ` [PATCH 07/18] crypto: marvell: factor out first fragment decisions to helper Russell King
2015-10-18 16:24 ` [PATCH 08/18] crypto: marvell: factor out adding an operation and launching it Russell King
2015-10-18 16:24 ` [PATCH 09/18] crypto: marvell: always ensure mid-fragments after first-fragment Russell King
2015-10-18 16:24 ` [PATCH 10/18] crypto: marvell: move mv_cesa_dma_add_frag() calls Russell King
2015-10-18 16:24 ` [PATCH 11/18] crypto: marvell: use presence of scatterlist to determine data load Russell King
2015-10-18 16:24 ` [PATCH 12/18] crypto: marvell: ensure iter.base.op_len is the full op length Russell King
2015-10-18 16:24 ` [PATCH 13/18] crypto: marvell: avoid adding final operation within loop Russell King
2015-10-18 16:24 ` [PATCH 14/18] crypto: marvell: rearrange last request handling Russell King
2015-10-18 16:24 ` [PATCH 15/18] crypto: marvell: rearrange handling for hw finished hashes Russell King
2015-10-18 16:24 ` [PATCH 16/18] crypto: marvell: rearrange handling for sw padded hashes Russell King
2015-10-18 16:24 ` [PATCH 17/18] crypto: marvell: fix first-fragment handling in mv_cesa_ahash_dma_last_req() Russell King
2015-10-19 22:53 ` Arnaud Ebalard
2015-10-18 16:24 ` [PATCH 18/18] crypto: marvell/cesa: fix memory leak Russell King
2015-10-18 17:18 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Boris Brezillon
2015-10-18 23:57 ` Arnaud Ebalard
2015-10-19 22:57 ` Arnaud Ebalard
2015-10-18 17:30 ` [PATCH 0/6] Sparse related fixes Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 1/6] crypto: marvell: use readl_relaxed()/writel_relaxed() Russell King
2015-10-18 17:31 ` [PATCH 2/6] crypto: marvell: use dma_addr_t for cur_dma Russell King
2015-10-18 17:31 ` [PATCH 3/6] crypto: marvell: use gfp_t for gfp flags Russell King
2015-10-18 17:31 ` [PATCH 4/6] crypto: marvell: use memcpy_fromio()/memcpy_toio() Russell King
2015-10-19 23:26 ` Arnaud Ebalard
2015-10-20 7:58 ` Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 5/6] crypto: marvell: fix missing cpu_to_le32() in mv_cesa_dma_add_op() Russell King
2015-10-18 17:31 ` [PATCH 6/6] crypto: marvell: use __le32 for hardware descriptors Russell King
2015-10-18 17:49 ` [PATCH 0/6] Sparse related fixes Boris Brezillon
2015-10-19 23:29 ` Arnaud Ebalard
2015-10-20 14:21 ` Herbert Xu
2015-10-20 14:20 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Herbert Xu
2015-10-09 12:12 ` [PATCH 0/3] crypto: fixes for Marvell hash Thomas Petazzoni
2015-10-09 12:31 ` Russell King - ARM Linux
2015-10-09 12:40 ` Thomas Petazzoni
2015-10-09 14:35 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151009215018.344b4f70@bbrezillon \
--to=boris.brezillon@free-electrons.com \
--cc=arno@natisbad.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jason@lakedaemon.net \
--cc=linux-crypto@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=thomas.petazzoni@free-electrons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.