Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3732724imu; Mon, 7 Jan 2019 08:29:01 -0800 (PST) X-Google-Smtp-Source: ALg8bN6znC+HT8u+QKTvb7x1q++jIF5iuq52eXwS5JGI4Evw7WN8409cRNibGLjSA+izV4ysKDpB X-Received: by 2002:a65:6392:: with SMTP id h18mr31014614pgv.107.1546878541494; Mon, 07 Jan 2019 08:29:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546878541; cv=none; d=google.com; s=arc-20160816; b=Ld3jmG9LYXAgoJ91BsYrLw4ms9qxzd4J8pkDDvXhy55GZyPcWD/aI7qWSosuUbw4f6 3Yk0fEbYK3QmDsOOr0wbTOYVJUroWYif/BGE9dhpecRTfLKewXZTgTj2A4PJX3fLyG5j GYHiMxTCjAAzENhTMNwTK5fxzzlq6IqbH6rX8S0Jz6tR7x4Rhd+n51gLCQ1D43WxZ9s9 mv0C2D0vXepnfFIu6VvoJeLFITleOAkTbWEizntvXBAKBSQGtZoG0y0h5OXBTnTNu0/a maXWuBNuAg+Dj61a2+YOSIyTeDHp7l9eSyFTwxV+gAesiRGTie8byzlDRH65jPikzuiM h7SQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=UDziI9ylR3MBPY9Z/9eRjWEI/cM+QQ+LGHcJrIMWKcw=; b=jhqlKZLToeG4Npp64uYADThwp4i9qIgYLn/J+YSODWFmtpBZeXLYypW1z+6O9LoK9x uXLDinkG1fFiiP0KdEwkUVDJ3CrHLkTE+lngGIEo9ELXYFex60a/tYVvmJH4Q++ukD9S FsPlkPK1jYRqnxctFmljC0A78idgl/x29vt85ofs2N1eTBq/6dFdlacBRv8X62Y0VG02 rghDYPmK/Wtb1O8czg5CG8mLJsSRPX5SshwZ9PSAP8CCX/mgLwLE1SGa3fTRsT+DfMCI sHxHWnJ+i9lNFYCBHEt5m7QQVLh2lnAoLh53va84msEkDOK36SpDdpzvvj/x1GkLmJvt xNkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="RiDweMe/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k20si4951559pfb.215.2019.01.07.08.28.44; Mon, 07 Jan 2019 08:29:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="RiDweMe/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731674AbfAGNOH (ORCPT + 99 others); Mon, 7 Jan 2019 08:14:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:50616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730436AbfAGNDH (ORCPT ); Mon, 7 Jan 2019 08:03:07 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A864C2173C; Mon, 7 Jan 2019 13:03:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546866186; bh=6Bdg7OQxHNMwaL/ic7y9jpOnuvie78Wjx3Wu4o2sXVY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RiDweMe/SC/Kk49/acwJrCkVl7qWT+84ky8lNy/fgf2fOFp2MpXJCXW/duxrzr60u 8JQxRk6RZNOZnwmye6Em6l9p1nRLRaSynCtsIVCl3f0G/z+0yxEceW8McM1yuTEunX 4wx4VjOAdq1VFnG1ENue+OUxYiRdhKBocECRP7IM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wenwen Wang , Herbert Xu Subject: [PATCH 4.14 073/101] crypto: cavium/nitrox - fix a DMA pool free failure Date: Mon, 7 Jan 2019 13:33:01 +0100 Message-Id: <20190107105336.985165198@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107105330.372621917@linuxfoundation.org> References: <20190107105330.372621917@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Wenwen Wang commit 7172122be6a4712d699da4d261f92aa5ab3a78b8 upstream. In crypto_alloc_context(), a DMA pool is allocated through dma_pool_alloc() to hold the crypto context. The meta data of the DMA pool, including the pool used for the allocation 'ndev->ctx_pool' and the base address of the DMA pool used by the device 'dma', are then stored to the beginning of the pool. These meta data are eventually used in crypto_free_context() to free the DMA pool through dma_pool_free(). However, given that the DMA pool can also be accessed by the device, a malicious device can modify these meta data, especially when the device is controlled to deploy an attack. This can cause an unexpected DMA pool free failure. To avoid the above issue, this patch introduces a new structure crypto_ctx_hdr and a new field chdr in the structure nitrox_crypto_ctx hold the meta data information of the DMA pool after the allocation. Note that the original structure ctx_hdr is not changed to ensure the compatibility. Cc: Signed-off-by: Wenwen Wang Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/cavium/nitrox/nitrox_algs.c | 12 +++++++----- drivers/crypto/cavium/nitrox/nitrox_lib.c | 22 +++++++++++++++++----- drivers/crypto/cavium/nitrox/nitrox_req.h | 7 +++++++ 3 files changed, 31 insertions(+), 10 deletions(-) --- a/drivers/crypto/cavium/nitrox/nitrox_algs.c +++ b/drivers/crypto/cavium/nitrox/nitrox_algs.c @@ -73,7 +73,7 @@ static int flexi_aes_keylen(int keylen) static int nitrox_skcipher_init(struct crypto_skcipher *tfm) { struct nitrox_crypto_ctx *nctx = crypto_skcipher_ctx(tfm); - void *fctx; + struct crypto_ctx_hdr *chdr; /* get the first device */ nctx->ndev = nitrox_get_first_device(); @@ -81,12 +81,14 @@ static int nitrox_skcipher_init(struct c return -ENODEV; /* allocate nitrox crypto context */ - fctx = crypto_alloc_context(nctx->ndev); - if (!fctx) { + chdr = crypto_alloc_context(nctx->ndev); + if (!chdr) { nitrox_put_device(nctx->ndev); return -ENOMEM; } - nctx->u.ctx_handle = (uintptr_t)fctx; + nctx->chdr = chdr; + nctx->u.ctx_handle = (uintptr_t)((u8 *)chdr->vaddr + + sizeof(struct ctx_hdr)); crypto_skcipher_set_reqsize(tfm, crypto_skcipher_reqsize(tfm) + sizeof(struct nitrox_kcrypt_request)); return 0; @@ -102,7 +104,7 @@ static void nitrox_skcipher_exit(struct memset(&fctx->crypto, 0, sizeof(struct crypto_keys)); memset(&fctx->auth, 0, sizeof(struct auth_keys)); - crypto_free_context((void *)fctx); + crypto_free_context((void *)nctx->chdr); } nitrox_put_device(nctx->ndev); --- a/drivers/crypto/cavium/nitrox/nitrox_lib.c +++ b/drivers/crypto/cavium/nitrox/nitrox_lib.c @@ -146,12 +146,19 @@ static void destroy_crypto_dma_pool(stru void *crypto_alloc_context(struct nitrox_device *ndev) { struct ctx_hdr *ctx; + struct crypto_ctx_hdr *chdr; void *vaddr; dma_addr_t dma; + chdr = kmalloc(sizeof(*chdr), GFP_KERNEL); + if (!chdr) + return NULL; + vaddr = dma_pool_alloc(ndev->ctx_pool, (GFP_ATOMIC | __GFP_ZERO), &dma); - if (!vaddr) + if (!vaddr) { + kfree(chdr); return NULL; + } /* fill meta data */ ctx = vaddr; @@ -159,7 +166,11 @@ void *crypto_alloc_context(struct nitrox ctx->dma = dma; ctx->ctx_dma = dma + sizeof(struct ctx_hdr); - return ((u8 *)vaddr + sizeof(struct ctx_hdr)); + chdr->pool = ndev->ctx_pool; + chdr->dma = dma; + chdr->vaddr = vaddr; + + return chdr; } /** @@ -168,13 +179,14 @@ void *crypto_alloc_context(struct nitrox */ void crypto_free_context(void *ctx) { - struct ctx_hdr *ctxp; + struct crypto_ctx_hdr *ctxp; if (!ctx) return; - ctxp = (struct ctx_hdr *)((u8 *)ctx - sizeof(struct ctx_hdr)); - dma_pool_free(ctxp->pool, ctxp, ctxp->dma); + ctxp = ctx; + dma_pool_free(ctxp->pool, ctxp->vaddr, ctxp->dma); + kfree(ctxp); } /** --- a/drivers/crypto/cavium/nitrox/nitrox_req.h +++ b/drivers/crypto/cavium/nitrox/nitrox_req.h @@ -181,12 +181,19 @@ struct flexi_crypto_context { struct auth_keys auth; }; +struct crypto_ctx_hdr { + struct dma_pool *pool; + dma_addr_t dma; + void *vaddr; +}; + struct nitrox_crypto_ctx { struct nitrox_device *ndev; union { u64 ctx_handle; struct flexi_crypto_context *fctx; } u; + struct crypto_ctx_hdr *chdr; }; struct nitrox_kcrypt_request {