From: Herbert Xu <herbert@gondor.apana.org.au>
To: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Vladimir Zapolskiy <vz@mleia.com>,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org,
Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Subject: Re: [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path
Date: Wed, 20 Apr 2016 17:59:02 +0800 [thread overview]
Message-ID: <20160420095902.GD3003@gondor.apana.org.au> (raw)
In-Reply-To: <1461073452-10426-1-git-send-email-k.kozlowski@samsung.com>
On Tue, Apr 19, 2016 at 03:44:11PM +0200, Krzysztof Kozlowski wrote:
> The driver makes copies of memory (input or output scatterlists) if they
> are not aligned. In s5p_aes_crypt_start() error path (on unsuccessful
> initialization of output scatterlist), if input scatterlist was not
> aligned, the driver first freed copied input memory and then unmapped it
> from the device, instead of doing otherwise (unmap and then free).
>
> This was wrong in two ways:
> 1. Freed pages were still mapped to the device.
> 2. The dma_unmap_sg() iterated over freed scatterlist structure.
>
> The call to s5p_free_sg_cpy() in this error path is not needed because
> the copied scatterlists will be freed by s5p_aes_complete().
>
> Fixes: 9e4a1100a445 ("crypto: s5p-sss - Handle unaligned buffers")
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Both applied.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2016-04-20 9:59 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-19 13:44 [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path Krzysztof Kozlowski
2016-04-19 13:44 ` [PATCH 2/2] crypto: s5p-sss - Remove useless hash interrupt handler Krzysztof Kozlowski
[not found] ` <1461073452-10426-2-git-send-email-k.kozlowski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2016-04-20 10:04 ` Vladimir Zapolskiy
2016-04-20 10:04 ` Vladimir Zapolskiy
2016-04-21 15:24 ` Rob Herring
2016-04-20 9:59 ` Herbert Xu [this message]
2016-04-20 10:03 ` [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path Vladimir Zapolskiy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160420095902.GD3003@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=b.zolnierkie@samsung.com \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=k.kozlowski@samsung.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=vz@mleia.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.