From: Herbert Xu Subject: Re: [PATCH] crypto: skcipher - fix crash in virtual walk Date: Wed, 14 Dec 2016 18:39:05 +0800 Message-ID: <20161214103905.GB11960@gondor.apana.org.au> References: <1481636042-27347-1-git-send-email-ard.biesheuvel@linaro.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-crypto@vger.kernel.org To: Ard Biesheuvel Return-path: Received: from helcar.hengli.com.au ([209.40.204.226]:58077 "EHLO helcar.apana.org.au" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755377AbcLNKje (ORCPT ); Wed, 14 Dec 2016 05:39:34 -0500 Content-Disposition: inline In-Reply-To: <1481636042-27347-1-git-send-email-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Tue, Dec 13, 2016 at 01:34:02PM +0000, Ard Biesheuvel wrote: > The new skcipher walk API may crash in the following way. (Interestingly, > the tcrypt boot time tests seem unaffected, while an explicit test using > the module triggers it) > > Unable to handle kernel NULL pointer dereference at virtual address 00000000 > ... > [] __memcpy+0x84/0x180 > [] skcipher_walk_done+0x328/0x340 > [] ctr_encrypt+0x84/0x100 > [] simd_skcipher_encrypt+0x88/0x98 > [] crypto_rfc3686_crypt+0x8c/0x98 > [] test_skcipher_speed+0x518/0x820 [tcrypt] > [] do_test+0x1408/0x3b70 [tcrypt] > [] tcrypt_mod_init+0x50/0x1000 [tcrypt] > [] do_one_initcall+0x44/0x138 > [] do_init_module+0x68/0x1e0 > [] load_module+0x1fd0/0x2458 > [] SyS_finit_module+0xe0/0xf0 > [] el0_svc_naked+0x24/0x28 > > This is due to the fact that skcipher_done_slow() may be entered with > walk->buffer unset. Since skcipher_walk_done() already deals with the > case where walk->buffer == walk->page, it appears to be the intention > that walk->buffer point to walk->page after skcipher_next_slow(), so > ensure that is the case. > > Signed-off-by: Ard Biesheuvel Patch applied. Thanks. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt