From: Boris Brezillon <boris.brezillon@free-electrons.com>
To: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Arnaud Ebalard <arno@natisbad.org>,
Thomas Petazzoni <thomas.petazzoni@free-electrons.com>,
Jason Cooper <jason@lakedaemon.net>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH v3 1/5] crypto: ensure algif_hash does not pass a zero-sized state
Date: Sat, 10 Oct 2015 18:46:07 +0200 [thread overview]
Message-ID: <20151010184607.353cb5f3@bbrezillon> (raw)
In-Reply-To: <E1ZkdZl-0005IT-IU@rmk-PC.arm.linux.org.uk>
On Fri, 09 Oct 2015 20:43:33 +0100
Russell King <rmk+kernel@arm.linux.org.uk> wrote:
> If the algorithm passed a zero statesize, do not pass a valid pointer
> into the export/import functions. Passing a valid pointer covers up
> bugs in driver code which then go on to smash the kernel stack.
> Instead, pass NULL, which will cause any attempt to write to the
> pointer to fail.
>
> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
> ---
> crypto/ahash.c | 3 ++-
> crypto/shash.c | 3 ++-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/ahash.c b/crypto/ahash.c
> index 8acb886032ae..9c1dc8d6106a 100644
> --- a/crypto/ahash.c
> +++ b/crypto/ahash.c
> @@ -544,7 +544,8 @@ static int ahash_prepare_alg(struct ahash_alg *alg)
> struct crypto_alg *base = &alg->halg.base;
>
> if (alg->halg.digestsize > PAGE_SIZE / 8 ||
> - alg->halg.statesize > PAGE_SIZE / 8)
> + alg->halg.statesize > PAGE_SIZE / 8 ||
> + alg->halg.statesize == 0)
Just read Russel's answer to the cover letter, and I wonder if the
following test wouldn't fix the problem:
(alg->halg.statesize == 0 && (alg->import || alg->export))
I mean, the only valid case where statesize can be zero is when you
don't have any state associated to the crypto algorithm, and if that's
the case, ->import() and ->export() functions are useless, isn't ?
Best Regards,
Boris
> return -EINVAL;
>
> base->cra_type = &crypto_ahash_type;
> diff --git a/crypto/shash.c b/crypto/shash.c
> index ecb1e3d39bf0..ab3384b38542 100644
> --- a/crypto/shash.c
> +++ b/crypto/shash.c
> @@ -585,7 +585,8 @@ static int shash_prepare_alg(struct shash_alg *alg)
>
> if (alg->digestsize > PAGE_SIZE / 8 ||
> alg->descsize > PAGE_SIZE / 8 ||
> - alg->statesize > PAGE_SIZE / 8)
> + alg->statesize > PAGE_SIZE / 8 ||
> + alg->statesize == 0)
> return -EINVAL;
>
> base->cra_type = &crypto_shash_type;
--
Boris Brezillon, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
next prev parent reply other threads:[~2015-10-10 16:46 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-09 10:29 [PATCH 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:29 ` [PATCH 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:34 ` Herbert Xu
2015-10-09 10:41 ` Russell King - ARM Linux
2015-10-09 10:42 ` Herbert Xu
2015-10-09 10:29 ` [PATCH 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 10:29 ` [PATCH 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 10:46 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 10:48 ` [PATCH v2 1/3] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-09 10:48 ` [PATCH v2 2/3] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 16:13 ` Boris Brezillon
2015-10-09 10:48 ` [PATCH v2 3/3] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 16:15 ` Boris Brezillon
2015-10-09 12:42 ` [PATCH v2 0/3] crypto: fixes for Marvell hash Russell King - ARM Linux
2015-10-09 16:12 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 0/5] " Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 1/5] crypto: ensure algif_hash does not pass a zero-sized state Russell King
2015-10-10 16:46 ` Boris Brezillon [this message]
2015-10-10 16:52 ` Russell King - ARM Linux
2015-10-11 6:59 ` Herbert Xu
2015-10-11 6:57 ` Herbert Xu
2015-10-13 14:33 ` Herbert Xu
2015-10-15 9:39 ` Russell King - ARM Linux
2015-10-15 9:41 ` Herbert Xu
2015-10-15 12:59 ` Russell King - ARM Linux
2015-10-15 13:13 ` Herbert Xu
2015-10-16 23:24 ` Victoria Milhoan
2015-10-17 7:56 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 2/5] crypto: marvell: fix stack smashing in marvell/hash.c Russell King
2015-10-09 19:43 ` [PATCH v3 3/5] crypto: marvell: initialise struct mv_cesa_ahash_req Russell King
2015-10-09 19:50 ` Boris Brezillon
2015-10-09 19:52 ` Russell King - ARM Linux
2015-10-09 19:43 ` [PATCH v3 4/5] crypto: marvell: fix wrong hash results Russell King
2015-10-09 19:51 ` Boris Brezillon
2015-10-09 19:43 ` [PATCH v3 5/5] crypto: marvell: factor out common import functions Russell King
2015-10-09 19:55 ` Boris Brezillon
2015-10-09 20:14 ` [PATCH v3b 5/5] crypto: marvell: factor out common import/export functions Russell King
2015-10-09 20:19 ` Boris Brezillon
2015-10-09 22:37 ` Arnaud Ebalard
2015-10-09 23:51 ` Russell King - ARM Linux
2015-10-10 10:31 ` Arnaud Ebalard
2015-10-10 11:29 ` Russell King - ARM Linux
2015-10-10 16:17 ` Russell King - ARM Linux
2015-10-11 6:55 ` Herbert Xu
2015-10-13 13:00 ` Herbert Xu
2015-10-13 13:55 ` Russell King - ARM Linux
2015-10-13 13:57 ` Herbert Xu
2015-10-13 13:59 ` Russell King - ARM Linux
2015-10-13 14:01 ` Herbert Xu
2015-10-10 18:07 ` Marek Vasut
2015-10-09 19:57 ` [PATCH v3 0/5] crypto: fixes for Marvell hash Boris Brezillon
2015-10-18 16:16 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Russell King - ARM Linux
2015-10-18 16:23 ` [PATCH 01/18] crypto: marvell: easier way to get the transform Russell King
2015-10-19 1:37 ` crypto: ahash - Add crypto_ahash_blocksize Herbert Xu
2015-10-18 16:23 ` [PATCH 02/18] crypto: marvell: keep creq->state in CPU endian format at all times Russell King
2015-10-18 16:23 ` [PATCH 03/18] crypto: marvell: add flag to determine algorithm endianness Russell King
2015-10-19 15:04 ` Jason Cooper
2015-10-19 15:25 ` Russell King - ARM Linux
2015-10-19 16:15 ` Jason Cooper
2015-10-19 16:18 ` Herbert Xu
2015-10-18 16:23 ` [PATCH 04/18] crypto: marvell: fix the bit length endianness Russell King
2015-10-18 16:23 ` [PATCH 05/18] crypto: marvell: ensure template operation is initialised Russell King
2015-10-18 16:23 ` [PATCH 06/18] crypto: marvell: const-ify argument to mv_cesa_get_op_cfg() Russell King
2015-10-18 16:24 ` [PATCH 07/18] crypto: marvell: factor out first fragment decisions to helper Russell King
2015-10-18 16:24 ` [PATCH 08/18] crypto: marvell: factor out adding an operation and launching it Russell King
2015-10-18 16:24 ` [PATCH 09/18] crypto: marvell: always ensure mid-fragments after first-fragment Russell King
2015-10-18 16:24 ` [PATCH 10/18] crypto: marvell: move mv_cesa_dma_add_frag() calls Russell King
2015-10-18 16:24 ` [PATCH 11/18] crypto: marvell: use presence of scatterlist to determine data load Russell King
2015-10-18 16:24 ` [PATCH 12/18] crypto: marvell: ensure iter.base.op_len is the full op length Russell King
2015-10-18 16:24 ` [PATCH 13/18] crypto: marvell: avoid adding final operation within loop Russell King
2015-10-18 16:24 ` [PATCH 14/18] crypto: marvell: rearrange last request handling Russell King
2015-10-18 16:24 ` [PATCH 15/18] crypto: marvell: rearrange handling for hw finished hashes Russell King
2015-10-18 16:24 ` [PATCH 16/18] crypto: marvell: rearrange handling for sw padded hashes Russell King
2015-10-18 16:24 ` [PATCH 17/18] crypto: marvell: fix first-fragment handling in mv_cesa_ahash_dma_last_req() Russell King
2015-10-19 22:53 ` Arnaud Ebalard
2015-10-18 16:24 ` [PATCH 18/18] crypto: marvell/cesa: fix memory leak Russell King
2015-10-18 17:18 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Boris Brezillon
2015-10-18 23:57 ` Arnaud Ebalard
2015-10-19 22:57 ` Arnaud Ebalard
2015-10-18 17:30 ` [PATCH 0/6] Sparse related fixes Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 1/6] crypto: marvell: use readl_relaxed()/writel_relaxed() Russell King
2015-10-18 17:31 ` [PATCH 2/6] crypto: marvell: use dma_addr_t for cur_dma Russell King
2015-10-18 17:31 ` [PATCH 3/6] crypto: marvell: use gfp_t for gfp flags Russell King
2015-10-18 17:31 ` [PATCH 4/6] crypto: marvell: use memcpy_fromio()/memcpy_toio() Russell King
2015-10-19 23:26 ` Arnaud Ebalard
2015-10-20 7:58 ` Russell King - ARM Linux
2015-10-18 17:31 ` [PATCH 5/6] crypto: marvell: fix missing cpu_to_le32() in mv_cesa_dma_add_op() Russell King
2015-10-18 17:31 ` [PATCH 6/6] crypto: marvell: use __le32 for hardware descriptors Russell King
2015-10-18 17:49 ` [PATCH 0/6] Sparse related fixes Boris Brezillon
2015-10-19 23:29 ` Arnaud Ebalard
2015-10-20 14:21 ` Herbert Xu
2015-10-20 14:20 ` [PATCH 00/18] crypto: further fixes for Marvell CESA hash Herbert Xu
2015-10-09 12:12 ` [PATCH 0/3] crypto: fixes for Marvell hash Thomas Petazzoni
2015-10-09 12:31 ` Russell King - ARM Linux
2015-10-09 12:40 ` Thomas Petazzoni
2015-10-09 14:35 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151010184607.353cb5f3@bbrezillon \
--to=boris.brezillon@free-electrons.com \
--cc=arno@natisbad.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jason@lakedaemon.net \
--cc=linux-crypto@vger.kernel.org \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=thomas.petazzoni@free-electrons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).