Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3901390ybz;
        Mon, 4 May 2020 11:48:23 -0700 (PDT)
X-Google-Smtp-Source: APiQypKldcRvtwn2IRVFmZcT+9mgBkQRkJRqZETM/HY1G1jjljRtoU63ssbr8EN8OV7irYcO6FNt
X-Received: by 2002:a17:906:6411:: with SMTP id d17mr16431666ejm.109.1588618103279;
        Mon, 04 May 2020 11:48:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588618103; cv=none;
        d=google.com; s=arc-20160816;
        b=Q7OIVBWL0OGuVlDwUj5a9t2m+KYJtirvcSidAdUoMYinVW7tDbtDG9pgM0fcgTihUH
         aoZLqMSi9L//c4IUKM4tLLAjQuOu6mm/0WchoFlJ7fEPu/N21eDoLgFrgJUp1qEv85k4
         5pxSZvwl7VOkKybN/Yw8uSSb1B1uFsJpAJB+GqqLNnC1emqq0r8K2RMUh6lxpxe/ve42
         7Vg/WpI7lXT5KR18NWwBgyrGDoWgBvmG9vITC1rlsBqOK3Qv62eQA9Ej5lgIcTFVWDFL
         jO1hAeupH8qluWGbajHt+lO3wdqG1XeVwckt0fVdSAl4Wb48l7xKNLkEZ0tyOAcvATal
         Fo+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9zIeE3IEeQ3f1T36v5sh5jZJPJ0XaGLIImH8Nu2vEUU=;
        b=Zsf/bTPETgBe6m8OJ3ltwjcIU8RD63+2wMaqLqXVb2vXMzAnozLGNmYiBR1R+9ADHJ
         tUWLe4IHBEZ52mxLW8+jdaZd7j4ZYcLBb7gQvFNvZhCtLR2f3RBFx/CI45lEycpIWs8A
         u4XYjlNCgqh3H75RJ/ZSoXWbS/cTBbba+i03XPrBAEonj9TdN4wSxmN04XC6pnzDWX1i
         0r9IXEtGv1ljycVXJoy1mb+i1wPUZmVFdf1md+AJxpSoV8tJTe8UN0/fYY3POHI8j4/K
         AjRsu/XrVBWJN2/ViqVoglGSgLSAGZaqjp9lmlg1T0gQA6QDVAImH4H10Ds1gijBqfMO
         Cnvg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lOK1qJfM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c17si6999686edt.167.2020.05.04.11.48.00;
        Mon, 04 May 2020 11:48:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=lOK1qJfM;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731849AbgEDSFo (ORCPT <rfc822;carmate383@gmail.com>
        + 99 others); Mon, 4 May 2020 14:05:44 -0400
Received: from mail.kernel.org ([198.145.29.99]:35614 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731303AbgEDSFl (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 May 2020 14:05:41 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 3C99D206B8;
        Mon,  4 May 2020 18:05:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1588615540;
        bh=8QJu8C4+M3+eSdZiUf/yJQMwEkuvIhK4bHbnDdisRRw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lOK1qJfMcvT/W/AnvmI89hZPHzw8V0DH1fkxYQ31MIlVaR0JPwuVksm4qCBOM88ra
         p8whDMsI80rC6KOyvPXkbMzAHZyYBmhpLMK7Rds7mKRAFiDgctir6ByIYK1YNaREU6
         uwyS4F4F4itwY8fbYjsS2thLLn58+znfuOimqLFw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Iuliana Prodan <iuliana.prodan@nxp.com>,
        =?UTF-8?q?Horia=20Geant=C4=83?= <horia.geanta@nxp.com>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 5.6 22/73] crypto: caam - fix the address of the last entry of S/G
Date:   Mon,  4 May 2020 19:57:25 +0200
Message-Id: <20200504165505.854835441@linuxfoundation.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200504165501.781878940@linuxfoundation.org>
References: <20200504165501.781878940@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Iuliana Prodan <iuliana.prodan@nxp.com>

commit 55b3209acbb01cb02b1ee6b1afe80d83b1aab36d upstream.

For skcipher algorithms, the input, output HW S/G tables
look like this: [IV, src][dst, IV]
Now, we can have 2 conditions here:
- there is no IV;
- src and dst are equal (in-place encryption) and scattered
and the error is an "off-by-one" in the HW S/G table.

This issue was seen with KASAN:
BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018

Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321

CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted
5.6.0-rc1-00165-ge4ef8383-dirty #4
Hardware name: LS1046A RDB Board (DT)
Call trace:
 dump_backtrace+0x0/0x260
 show_stack+0x14/0x20
 dump_stack+0xe8/0x144
 print_address_description.isra.11+0x64/0x348
 __kasan_report+0x11c/0x230
 kasan_report+0xc/0x18
 __asan_load4+0x90/0xb0
 skcipher_edesc_alloc+0x95c/0x1018
 skcipher_encrypt+0x84/0x150
 crypto_skcipher_encrypt+0x50/0x68
 test_skcipher_vec_cfg+0x4d4/0xc10
 test_skcipher_vec+0x178/0x1d8
 alg_test_skcipher+0xec/0x230
 alg_test.part.44+0x114/0x4a0
 alg_test+0x1c/0x60
 cryptomgr_test+0x34/0x58
 kthread+0x1b8/0x1c0
 ret_from_fork+0x10/0x18

Allocated by task 321:
 save_stack+0x24/0xb0
 __kasan_kmalloc.isra.10+0xc4/0xe0
 kasan_kmalloc+0xc/0x18
 __kmalloc+0x178/0x2b8
 skcipher_edesc_alloc+0x21c/0x1018
 skcipher_encrypt+0x84/0x150
 crypto_skcipher_encrypt+0x50/0x68
 test_skcipher_vec_cfg+0x4d4/0xc10
 test_skcipher_vec+0x178/0x1d8
 alg_test_skcipher+0xec/0x230
 alg_test.part.44+0x114/0x4a0
 alg_test+0x1c/0x60
 cryptomgr_test+0x34/0x58
 kthread+0x1b8/0x1c0
 ret_from_fork+0x10/0x18

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff000022a02800
 which belongs to the cache dma-kmalloc-512 of size 512
The buggy address is located 344 bytes inside of
 512-byte region [ffff000022a02800, ffff000022a02a00)
The buggy address belongs to the page:
page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400
index:0x0 compound_mapcount: 0
flags: 0xffff00000010200(slab|head)
raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                    ^
 ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc

Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
Cc: <stable@vger.kernel.org> # v5.3+
Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/crypto/caam/caamalg.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -1791,7 +1791,7 @@ static struct skcipher_edesc *skcipher_e
 
 	if (ivsize || mapped_dst_nents > 1)
 		sg_to_sec4_set_last(edesc->sec4_sg + dst_sg_idx +
-				    mapped_dst_nents);
+				    mapped_dst_nents - 1 + !!ivsize);
 
 	if (sec4_sg_bytes) {
 		edesc->sec4_sg_dma = dma_map_single(jrdev, edesc->sec4_sg,