From: LABBE Corentin <clabbe@baylibre.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] crypto: arm64/aes - do not call crypto_unregister_skcipher twice on error
Date: Fri, 24 Nov 2017 06:52:33 +0100 [thread overview]
Message-ID: <20171124055233.GA16381@Red> (raw)
In-Reply-To: <CAKv+Gu9m3v_iMdg8ngX-3x1HT+c8D52dhjJ=MiTp11VByD=ewA@mail.gmail.com>
On Wed, Nov 22, 2017 at 08:55:14AM +0000, Ard Biesheuvel wrote:
> Hello Corentin,
>
> On 22 November 2017 at 08:08, Corentin Labbe <clabbe@baylibre.com> wrote:
> > When a cipher fail
>
> fails
>
> > to register in aes_init(), the error path go thought
>
> goes through
>
> > aes_exit() then crypto_unregister_skciphers().
> > Since aes_exit calls also crypto_unregister_skcipher, this trigger a
>
> triggers
>
> > refcount_t: underflow; use-after-free.
> >
> > Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
> > ---
> > arch/arm64/crypto/aes-glue.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
> > index 998ba519a026..9e42ec96243e 100644
> > --- a/arch/arm64/crypto/aes-glue.c
> > +++ b/arch/arm64/crypto/aes-glue.c
> > @@ -664,7 +664,10 @@ static int __init aes_init(void)
> > return 0;
> >
> > unregister_simds:
> > - aes_exit();
> > + for (i = 0; i < ARRAY_SIZE(aes_simd_algs); i++)
> > + if (aes_simd_algs[i])
> > + simd_skcipher_free(aes_simd_algs[i]);
> > + crypto_unregister_shashes(mac_algs, ARRAY_SIZE(mac_algs));
> > unregister_ciphers:
> > crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
> > return err;
> > --
> > 2.13.6
> >
> >
>
>
> Would this also fix it?
>
> diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c
> index 998ba519a026..2fa850e86aa8 100644
> --- a/arch/arm64/crypto/aes-glue.c
> +++ b/arch/arm64/crypto/aes-glue.c
> @@ -665,6 +665,7 @@ static int __init aes_init(void)
>
> unregister_simds:
> aes_exit();
> + return err;
> unregister_ciphers:
> crypto_unregister_skciphers(aes_algs, ARRAY_SIZE(aes_algs));
> return err;
Yes it is better.
I will send a v2 today.
Regards
prev parent reply other threads:[~2017-11-24 5:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-22 8:08 [PATCH] crypto: arm64/aes - do not call crypto_unregister_skcipher twice on error Corentin Labbe
2017-11-22 8:55 ` Ard Biesheuvel
2017-11-24 4:55 ` Herbert Xu
2017-11-24 5:52 ` LABBE Corentin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171124055233.GA16381@Red \
--to=clabbe@baylibre.com \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox