From: Vladimir Zapolskiy <vz@mleia.com>
To: Krzysztof Kozlowski <k.kozlowski@samsung.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org
Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Subject: Re: [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path
Date: Wed, 20 Apr 2016 13:03:43 +0300 [thread overview]
Message-ID: <571753FF.9080405@mleia.com> (raw)
In-Reply-To: <1461073452-10426-1-git-send-email-k.kozlowski@samsung.com>
Hi Krzysztof,
On 19.04.2016 16:44, Krzysztof Kozlowski wrote:
> The driver makes copies of memory (input or output scatterlists) if they
> are not aligned. In s5p_aes_crypt_start() error path (on unsuccessful
> initialization of output scatterlist), if input scatterlist was not
> aligned, the driver first freed copied input memory and then unmapped it
> from the device, instead of doing otherwise (unmap and then free).
>
> This was wrong in two ways:
> 1. Freed pages were still mapped to the device.
> 2. The dma_unmap_sg() iterated over freed scatterlist structure.
>
> The call to s5p_free_sg_cpy() in this error path is not needed because
> the copied scatterlists will be freed by s5p_aes_complete().
>
> Fixes: 9e4a1100a445 ("crypto: s5p-sss - Handle unaligned buffers")
> Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
I see that Herbert have just applied the changes, but anyway I reviewed
them and they are good in my opinion.
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
> ---
> drivers/crypto/s5p-sss.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c
> index 4f6d5b3ec418..b0484d4d68d9 100644
> --- a/drivers/crypto/s5p-sss.c
> +++ b/drivers/crypto/s5p-sss.c
> @@ -577,7 +577,6 @@ static void s5p_aes_crypt_start(struct s5p_aes_dev *dev, unsigned long mode)
> return;
>
> outdata_error:
> - s5p_free_sg_cpy(dev, &dev->sg_src_cpy);
> s5p_unset_indata(dev);
>
> indata_error:
>
--
With best wishes,
Vladimir
prev parent reply other threads:[~2016-04-20 10:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-19 13:44 [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path Krzysztof Kozlowski
2016-04-19 13:44 ` [PATCH 2/2] crypto: s5p-sss - Remove useless hash interrupt handler Krzysztof Kozlowski
[not found] ` <1461073452-10426-2-git-send-email-k.kozlowski-Sze3O3UU22JBDgjK7y7TUQ@public.gmane.org>
2016-04-20 10:04 ` Vladimir Zapolskiy
2016-04-20 10:04 ` Vladimir Zapolskiy
2016-04-21 15:24 ` Rob Herring
2016-04-20 9:59 ` [PATCH 1/2] crypto: s5p-sss - Fix use after free of copied input buffer in error path Herbert Xu
2016-04-20 10:03 ` Vladimir Zapolskiy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=571753FF.9080405@mleia.com \
--to=vz@mleia.com \
--cc=b.zolnierkie@samsung.com \
--cc=davem@davemloft.net \
--cc=devicetree@vger.kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=k.kozlowski@samsung.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.