From: Boris Brezillon <boris.brezillon@free-electrons.com>
To: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Arnaud Ebalard <arno@natisbad.org>,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
Jason Cooper <jason@lakedaemon.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v3 3/5] crypto: marvell: initialise struct mv_cesa_ahash_req
Date: Fri, 9 Oct 2015 21:50:18 +0200 [thread overview]
Message-ID: <20151009215018.344b4f70@bbrezillon> (raw)
In-Reply-To: <E1ZkdZv-0005If-QE@rmk-PC.arm.linux.org.uk>
Hi Russel,
On Fri, 09 Oct 2015 20:43:43 +0100
Russell King <rmk+kernel@arm.linux.org.uk> wrote:
> When a AF_ALG fd is accepted a second time (hence hash_accept() is
> used), hash_accept_parent() allocates a new private context using
> sock_kmalloc(). This context is uninitialised. After use of the new
> fd, we eventually end up with the kernel complaining:
>
> marvell-cesa f1090000.crypto: dma_pool_free cesa_padding, c0627770/0 (bad dma)
>
> where c0627770 is a random address. Poisoning the memory allocated by
> the above sock_kmalloc() produces kernel oopses within the marvell hash
> code, particularly the interrupt handling.
>
> The following simplfied call sequence occurs:
>
> hash_accept()
> crypto_ahash_export()
> marvell hash export function
> af_alg_accept()
> hash_accept_parent() <== allocates uninitialised struct hash_ctx
> crypto_ahash_import()
> marvell hash import function
>
> hash_ctx contains the struct mv_cesa_ahash_req in its req.__ctx member,
> and, as the marvell hash import function only partially initialises
> this structure, we end up with a lot of members which are left with
> whatever data was in memory prior to sock_kmalloc().
>
> Add zero-initialisation of this structure.
Maybe you should also change your commit message since this patch no
longer initializes the req struct to zero, otherwise
Acked-by: Boris Brezillon <boris.brezillon@free-electronc.com>
>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> ---
> drivers/crypto/marvell/hash.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c
> index a259aced3b42..458867ce9515 100644
> --- a/drivers/crypto/marvell/hash.c
> +++ b/drivers/crypto/marvell/hash.c
> @@ -831,6 +831,10 @@ static int mv_cesa_md5_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->byte_count;
> memcpy(creq->state, in_state->hash, digsize);
> creq->cache_ptr = 0;
> @@ -921,6 +925,10 @@ static int mv_cesa_sha1_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->count;
> memcpy(creq->state, in_state->state, digsize);
> creq->cache_ptr = 0;
> @@ -1022,6 +1030,10 @@ static int mv_cesa_sha256_import(struct ahash_request *req, const void *in)
> unsigned int cache_ptr;
> int ret;
>
> + ret = crypto_ahash_init(req);
> + if (ret)
> + return ret;
> +
> creq->len = in_state->count;
> memcpy(creq->state, in_state->state, digsize);
> creq->cache_ptr = 0;
--
Boris Brezillon, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
next prev parent reply other threads:[~2015-10-09 19:50 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-09 10:29 [PATCH 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:29 ` [PATCH 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:34 ` Herbert Xu
2015-10-09 10:41 ` Russell King - ARM Linux
2015-10-09 10:42 ` Herbert Xu
2015-10-09 10:29 ` [PATCH 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 10:29 ` [PATCH 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 10:46 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:48 ` [PATCH v2 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:48 ` [PATCH v2 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 16:13 ` Boris Brezillon
2015-10-09 10:48 ` [PATCH v2 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 16:15 ` Boris Brezillon
2015-10-09 12:42 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 16:12 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 0/5] " Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 1/5] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-10 16:46 ` Boris Brezillon
2015-10-10 16:52 ` Russell King - ARM Linux
2015-10-11 6:59 ` Herbert Xu
2015-10-11 6:57 ` Herbert Xu
2015-10-13 14:33 ` Herbert Xu
2015-10-15 9:39 ` Russell King - ARM Linux
2015-10-15 9:41 ` Herbert Xu
2015-10-15 12:59 ` Russell King - ARM Linux
2015-10-15 13:13 ` Herbert Xu
2015-10-16 23:24 ` Victoria Milhoan
2015-10-17 7:56 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 2/5] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 19:43 ` [PATCH v3 3/5] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 19:50 ` Boris Brezillon [this message]
2015-10-09 19:52 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 4/5] crypto: marvell: fix wrong hash results Russell King
2015-10-09 19:51 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 5/5] crypto: marvell: factor out common import functions Russell King
2015-10-09 19:55 ` Boris Brezillon
2015-10-09 20:14 ` [PATCH v3b 5/5] crypto: marvell: factor out common import/export functions Russell King
2015-10-09 20:19 ` Boris Brezillon
2015-10-09 22:37 ` Arnaud Ebalard
2015-10-09 23:51 ` Russell King - ARM Linux
2015-10-10 10:31 ` Arnaud Ebalard
2015-10-10 11:29 ` Russell King - ARM Linux
2015-10-10 16:17 ` Russell King - ARM Linux
2015-10-11 6:55 ` Herbert Xu
2015-10-13 13:00 ` Herbert Xu
2015-10-13 13:55 ` Russell King - ARM Linux
2015-10-13 13:57 ` Herbert Xu
2015-10-13 13:59 ` Russell King - ARM Linux
2015-10-13 14:01 ` Herbert Xu
2015-10-10 18:07 ` Marek Vasut
2015-10-09 19:57 ` [PATCH v3 0/5] crypto: fixes for Marvell hash Boris Brezillon
2015-10-18 16:16 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Russell King - ARM Linux
2015-10-18 16:23 ` [PATCH 01/18] crypto: marvell: easier way to get the transform Russell King
2015-10-19 1:37 ` crypto: ahash - Add crypto_ahash_blocksize Herbert Xu
2015-10-18 16:23 ` [PATCH 02/18] crypto: marvell: keep creq->state in CPU endian format at all times Russell King
2015-10-18 16:23 ` [PATCH 03/18] crypto: marvell: add flag to determine algorithm endianness Russell King
2015-10-19 15:04 ` Jason Cooper
2015-10-19 15:25 ` Russell King - ARM Linux
2015-10-19 16:15 ` Jason Cooper
2015-10-19 16:18 ` Herbert Xu
2015-10-18 16:23 ` [PATCH 04/18] crypto: marvell: fix the bit length endianness Russell King
2015-10-18 16:23 ` [PATCH 05/18] crypto: marvell: ensure template operation is initialised Russell King
2015-10-18 16:23 ` [PATCH 06/18] crypto: marvell: const-ify argument to mv_cesa_get_op_cfg() Russell King
2015-10-18 16:24 ` [PATCH 07/18] crypto: marvell: factor out first fragment decisions to helper Russell King
2015-10-18 16:24 ` [PATCH 08/18] crypto: marvell: factor out adding an operation and launching it Russell King
2015-10-18 16:24 ` [PATCH 09/18] crypto: marvell: always ensure mid-fragments after first-fragment Russell King
2015-10-18 16:24 ` [PATCH 10/18] crypto: marvell: move mv_cesa_dma_add_frag() calls Russell King
2015-10-18 16:24 ` [PATCH 11/18] crypto: marvell: use presence of scatterlist to determine data load Russell King
2015-10-18 16:24 ` [PATCH 12/18] crypto: marvell: ensure iter.base.op_len is the full op length Russell King
2015-10-18 16:24 ` [PATCH 13/18] crypto: marvell: avoid adding final operation within loop Russell King
2015-10-18 16:24 ` [PATCH 14/18] crypto: marvell: rearrange last request handling Russell King
2015-10-18 16:24 ` [PATCH 15/18] crypto: marvell: rearrange handling for hw finished hashes Russell King
2015-10-18 16:24 ` [PATCH 16/18] crypto: marvell: rearrange handling for sw padded hashes Russell King
2015-10-18 16:24 ` [PATCH 17/18] crypto: marvell: fix first-fragment handling in mv_cesa_ahash_dma_last_req() Russell King
2015-10-19 22:53 ` Arnaud Ebalard
2015-10-18 16:24 ` [PATCH 18/18] crypto: marvell/cesa: fix memory leak Russell King
2015-10-18 17:18 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Boris Brezillon
2015-10-18 23:57 ` Arnaud Ebalard
2015-10-19 22:57 ` Arnaud Ebalard
2015-10-18 17:30 ` [PATCH 0/6] Sparse related fixes Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 1/6] crypto: marvell: use readl_relaxed()/writel_relaxed() Russell King
2015-10-18 17:31 ` [PATCH 2/6] crypto: marvell: use dma_addr_t for cur_dma Russell King
2015-10-18 17:31 ` [PATCH 3/6] crypto: marvell: use gfp_t for gfp flags Russell King
2015-10-18 17:31 ` [PATCH 4/6] crypto: marvell: use memcpy_fromio()/memcpy_toio() Russell King
2015-10-19 23:26 ` Arnaud Ebalard
2015-10-20 7:58 ` Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 5/6] crypto: marvell: fix missing cpu_to_le32() in mv_cesa_dma_add_op() Russell King
2015-10-18 17:31 ` [PATCH 6/6] crypto: marvell: use __le32 for hardware descriptors Russell King
2015-10-18 17:49 ` [PATCH 0/6] Sparse related fixes Boris Brezillon
2015-10-19 23:29 ` Arnaud Ebalard
2015-10-20 14:21 ` Herbert Xu
2015-10-20 14:20 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Herbert Xu
2015-10-09 12:12 ` [PATCH 0/3] crypto: fixes for Marvell hash Thomas Petazzoni
2015-10-09 12:31 ` Russell King - ARM Linux
2015-10-09 12:40 ` Thomas Petazzoni
2015-10-09 14:35 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151009215018.344b4f70@bbrezillon \
--to=boris.brezillon@free-electrons.com \
--cc=arno@natisbad.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jason@lakedaemon.net \
--cc=linux-crypto@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=thomas.petazzoni@free-electrons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).