[PATCH] crypto: vmx - fix null dereference in p8_aes_xts_crypt

Linux cryptographic layer development
 help / color / mirror / Atom feed

From: Li Zhong <zhong@linux.vnet.ibm.com>
To: linux-crypto@vger.kernel.org
Cc: leosilva@linux.vnet.ibm.com, pfsmorigo@linux.vnet.ibm.com,
	herbert@gondor.apana.org.au
Subject: [PATCH] crypto: vmx -  fix null dereference in p8_aes_xts_crypt
Date: Wed, 24 Aug 2016 15:34:40 +0800	[thread overview]
Message-ID: <1472024080.3313.20.camel@TP420> (raw)

walk.iv is not assigned a value in blkcipher_walk_init. It makes iv uninitialized.
It is possibly a null value(as shown below), which is then used by aes_p8_encrypt. 

This patch moves iv = walk.iv after blkcipher_walk_virt, in which walk.iv is set.
 
[17856.268050] Unable to handle kernel paging request for data at address 0x00000000
[17856.268212] Faulting instruction address: 0xd000000002ff04bc
7:mon> t
[link register   ] d000000002ff47b8 p8_aes_xts_crypt+0x168/0x2a0 [vmx_crypto]   (938)
[c000000013b77960] d000000002ff4794 p8_aes_xts_crypt+0x144/0x2a0 [vmx_crypto] (unreliable)
[c000000013b77a70] c000000000544d64 skcipher_decrypt_blkcipher+0x64/0x80
[c000000013b77ac0] d000000003c0175c crypt_convert+0x53c/0x620 [dm_crypt]
[c000000013b77ba0] d000000003c043fc kcryptd_crypt+0x3cc/0x440 [dm_crypt]
[c000000013b77c50] c0000000000f3070 process_one_work+0x1e0/0x590
[c000000013b77ce0] c0000000000f34c8 worker_thread+0xa8/0x660
[c000000013b77d80] c0000000000fc0b0 kthread+0x110/0x130
[c000000013b77e30] c0000000000098f0 ret_from_kernel_thread+0x5c/0x6c

Signed-off-by: Li Zhong <zhong@linux.vnet.ibm.com>
---
 drivers/crypto/vmx/aes_xts.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/vmx/aes_xts.c b/drivers/crypto/vmx/aes_xts.c
index cfb2541..24353ec3 100644
--- a/drivers/crypto/vmx/aes_xts.c
+++ b/drivers/crypto/vmx/aes_xts.c
@@ -129,8 +129,8 @@ static int p8_aes_xts_crypt(struct blkcipher_desc *desc,
 
 		blkcipher_walk_init(&walk, dst, src, nbytes);
 
-		iv = (u8 *)walk.iv;
 		ret = blkcipher_walk_virt(desc, &walk);
+		iv = walk.iv;
 		memset(tweak, 0, AES_BLOCK_SIZE);
 		aes_p8_encrypt(iv, tweak, &ctx->tweak_key);

next             reply	other threads:[~2016-08-24  9:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-24  7:34 Li Zhong [this message]
2016-08-25  5:56 ` [PATCH] crypto: vmx - fix null dereference in p8_aes_xts_crypt Herbert Xu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:cfb2541 dfblob:24353ec )
 OR (
bs:"[PATCH] crypto: vmx -  fix null dereference in p8_aes_xts_crypt" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1472024080.3313.20.camel@TP420 \
    --to=zhong@linux.vnet.ibm.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=leosilva@linux.vnet.ibm.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=pfsmorigo@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox