Re: FAILED: patch "[PATCH] crypto: virtio: Fix use-after-free in" failed to apply to 5.4-stable tree

[Sasha Levin <sashal@kernel.org>]

On Mon, Jun 15, 2020 at 10:19:29PM +0200, gregkh@linuxfoundation.org wrote:
>
>The patch below does not apply to the 5.4-stable tree.
>If someone wants it applied there, or to any other stable or longterm
>tree, then please email the backport, including the original git commit
>id to <stable@vger.kernel.org>.
>
>thanks,
>
>greg k-h
>
>------------------ original commit in Linus's tree ------------------
>
>From 8c855f0720ff006d75d0a2512c7f6c4f60ff60ee Mon Sep 17 00:00:00 2001
>From: "Longpeng(Mike)" <longpeng2@huawei.com>
>Date: Tue, 2 Jun 2020 15:05:00 +0800
>Subject: [PATCH] crypto: virtio: Fix use-after-free in
> virtio_crypto_skcipher_finalize_req()
>
>The system'll crash when the users insmod crypto/tcrypto.ko with mode=155
>( testing "authenc(hmac(sha1),cbc(aes))" ). It's caused by reuse the memory
>of request structure.
>
>In crypto_authenc_init_tfm(), the reqsize is set to:
>  [PART 1] sizeof(authenc_request_ctx) +
>  [PART 2] ictx->reqoff +
>  [PART 3] MAX(ahash part, skcipher part)
>and the 'PART 3' is used by both ahash and skcipher in turn.
>
>When the virtio_crypto driver finish skcipher req, it'll call ->complete
>callback(in crypto_finalize_skcipher_request) and then free its
>resources whose pointers are recorded in 'skcipher parts'.
>
>However, the ->complete is 'crypto_authenc_encrypt_done' in this case,
>it will use the 'ahash part' of the request and change its content,
>so virtio_crypto driver will get the wrong pointer after ->complete
>finish and mistakenly free some other's memory. So the system will crash
>when these memory will be used again.
>
>The resources which need to be cleaned up are not used any more. But the
>pointers of these resources may be changed in the function
>"crypto_finalize_skcipher_request". Thus release specific resources before
>calling this function.
>
>Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver")
>Reported-by: LABBE Corentin <clabbe@baylibre.com>
>Cc: Gonglei <arei.gonglei@huawei.com>
>Cc: Herbert Xu <herbert@gondor.apana.org.au>
>Cc: "Michael S. Tsirkin" <mst@redhat.com>
>Cc: Jason Wang <jasowang@redhat.com>
>Cc: "David S. Miller" <davem@davemloft.net>
>Cc: virtualization@lists.linux-foundation.org
>Cc: linux-kernel@vger.kernel.org
>Cc: stable@vger.kernel.org
>Link: https://lore.kernel.org/r/20200123101000.GB24255@Red
>Acked-by: Gonglei <arei.gonglei@huawei.com>
>Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
>Link: https://lore.kernel.org/r/20200602070501.2023-3-longpeng2@huawei.com
>Signed-off-by: Michael S. Tsirkin <mst@redhat.com>

Conflict due to missing eee1d6fca0a0 ("crypto: virtio - switch to
skcipher API"). Fixed and queued for 5.4, 4.19, and 4.14.

-- 
Thanks,
Sasha