Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3778857ybb; Mon, 6 Apr 2020 15:48:14 -0700 (PDT) X-Google-Smtp-Source: APiQypLO3Aa3BggBA+q/DgW6GoM8cLb3DsVn5aGYHk4tx6GivtL+QAVQ8GD5Wu/rOzQPAMUVeoia X-Received: by 2002:a05:6830:20cf:: with SMTP id z15mr17707202otq.47.1586213294059; Mon, 06 Apr 2020 15:48:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586213294; cv=none; d=google.com; s=arc-20160816; b=GhnBk9mjVjX1ocFbMCFDKWc1wocKhuhpveG82IVkmyn0l7k3+nq98zAwysnTr8mj/g 5uRcDFnnK3qzKXQmK+cvnAQczUGwHVS7v7Xj7BOghcqcbCahgRNsZ4NAIE2d5sZLdgVq 1etP19KyyxHU6P7PK5ic3NPXe4kEsGCQb3wZyD9d2DtJ6ZGx7imRT8mlt3HO3bu28ejq 7OdyPHn646IAFdvvmzqxMpsRXz298od1uoLX2Re8v5G7uVem98YS3c8ER3A7+K1q8Ldq 6KIes1vll3vyXCMFxkotNzBHhtivZDfBVo+VvZtGM5cEkYI6Fv0M2hNtJrH7mSW5QiB5 zl4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from; bh=YlTTDbIiBOcB/oPj+EF5xcNJQZHYqhHyJhu4Fn/hoFc=; b=BVMsFomhWgAArCtbJFzg82DZMUhqLZpEiH0A+7k6R8UNN0Y9QWhDmdt/wUe4Z1zhqU 59Vgi0ozEmVN7CGczcsabw+c8W8D6+0j/DKtwHd2TTQaqy/zsWafLgGbijo/ftF2tiUa U4s/wel99nZBm2jFYZ//lLY9hanxqgwCoLceNFbLWXJuBrr10jBPZ2LWkcWdaePYqKzI uwVy17wdd89ViEufdhWHVJo8YU10rhNKNTMt8qCnBwzVUMUMpxEl8nFbBPcc3rdTxw4X Ql/mmrICd4cMSsdyBH+Id0kEqywEcIDoaXaeqLqNUOua4N9zAQNj8ot0eK0dQbMMvSG5 FWrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7si442288otr.95.2020.04.06.15.48.02; Mon, 06 Apr 2020 15:48:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726494AbgDFWrs (ORCPT + 99 others); Mon, 6 Apr 2020 18:47:48 -0400 Received: from inva020.nxp.com ([92.121.34.13]:36246 "EHLO inva020.nxp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726225AbgDFWrr (ORCPT ); Mon, 6 Apr 2020 18:47:47 -0400 Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id A14131A1029; Tue, 7 Apr 2020 00:47:45 +0200 (CEST) Received: from inva024.eu-rdc02.nxp.com (inva024.eu-rdc02.nxp.com [134.27.226.22]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 89F991A0EC5; Tue, 7 Apr 2020 00:47:45 +0200 (CEST) Received: from lorenz.ea.freescale.net (lorenz.ea.freescale.net [10.171.71.5]) by inva024.eu-rdc02.nxp.com (Postfix) with ESMTP id 237BD204B1; Tue, 7 Apr 2020 00:47:45 +0200 (CEST) From: Iuliana Prodan To: Herbert Xu , Horia Geanta , Aymen Sghaier Cc: "David S. Miller" , Silvano Di Ninno , Franck Lenormand , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-imx , Iuliana Prodan Subject: [PATCH v2 2/4] crypto: caam - fix use-after-free KASAN issue for AEAD algorithms Date: Tue, 7 Apr 2020 01:47:26 +0300 Message-Id: <1586213248-4230-3-git-send-email-iuliana.prodan@nxp.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1586213248-4230-1-git-send-email-iuliana.prodan@nxp.com> References: <1586213248-4230-1-git-send-email-iuliana.prodan@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Here's the KASAN report: BUG: KASAN: use-after-free in aead_crypt_done+0x60/0xd8 Read of size 1 at addr ffff00002303f014 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d5 #58 Hardware name: LS1046A RDB Board (DT) Call trace: dump_backtrace+0x0/0x260 show_stack+0x14/0x20 dump_stack+0xe8/0x144 print_address_description.isra.11+0x64/0x348 __kasan_report+0x11c/0x230 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 aead_crypt_done+0x60/0xd8 caam_jr_dequeue+0x390/0x608 tasklet_action_common.isra.13+0x1ec/0x230 tasklet_action+0x24/0x30 efi_header_end+0x1a4/0x370 irq_exit+0x114/0x128 __handle_domain_irq+0x80/0xe0 gic_handle_irq+0x50/0xa0 el1_irq+0xb8/0x180 _raw_spin_unlock_irq+0x2c/0x78 finish_task_switch+0xa4/0x2f8 __schedule+0x3a4/0x890 schedule_idle+0x28/0x50 do_idle+0x22c/0x338 cpu_startup_entry+0x24/0x40 rest_init+0xf8/0x10c arch_call_rest_init+0xc/0x14 start_kernel+0x774/0x7b4 Allocated by task 263: save_stack+0x24/0xb0 __kasan_kmalloc.isra.10+0xc4/0xe0 kasan_kmalloc+0xc/0x18 __kmalloc+0x178/0x2b8 aead_edesc_alloc+0x1b4/0xbf0 ipsec_gcm_encrypt+0xd4/0x140 crypto_aead_encrypt+0x50/0x68 test_aead_vec_cfg+0x498/0xec0 test_aead_vec+0x110/0x200 alg_test_aead+0xfc/0x680 alg_test.part.44+0x114/0x4a0 alg_test+0x1c/0x60 cryptomgr_test+0x34/0x58 kthread+0x1b8/0x1c0 ret_from_fork+0x10/0x18 Freed by task 0: save_stack+0x24/0xb0 __kasan_slab_free+0x10c/0x188 kasan_slab_free+0x10/0x18 kfree+0x7c/0x298 aead_crypt_done+0x58/0xd8 caam_jr_dequeue+0x390/0x608 tasklet_action_common.isra.13+0x1ec/0x230 tasklet_action+0x24/0x30 efi_header_end+0x1a4/0x370 The buggy address belongs to the object at ffff00002303f000 which belongs to the cache dma-kmalloc-128 of size 128 The buggy address is located 20 bytes inside of 128-byte region [ffff00002303f000, ffff00002303f080) The buggy address belongs to the page: page:fffffe00006c0fc0 refcount:1 mapcount:0 mapping:ffff00093200c000 index:0x0 flags: 0xffff00000000200(slab) raw: 0ffff00000000200 dead000000000100 dead000000000122 ffff00093200c000 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00002303ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00002303ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff00002303f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff00002303f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff00002303f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 1c2402266713 ("crypto: caam - add crypto_engine support for AEAD algorithms") Cc: # v5.6 Signed-off-by: Iuliana Prodan --- drivers/crypto/caam/caamalg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index 86be876..4174bd9 100644 --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -963,10 +963,12 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err, struct caam_drv_private_jr *jrp = dev_get_drvdata(jrdev); struct aead_edesc *edesc; int ecode = 0; + bool has_bklog; dev_dbg(jrdev, "%s %d: err 0x%x\n", __func__, __LINE__, err); edesc = rctx->edesc; + has_bklog = edesc->bklog; if (err) ecode = caam_jr_strstatus(jrdev, err); @@ -979,7 +981,7 @@ static void aead_crypt_done(struct device *jrdev, u32 *desc, u32 err, * If no backlog flag, the completion of the request is done * by CAAM, not crypto engine. */ - if (!edesc->bklog) + if (!has_bklog) aead_request_complete(req, ecode); else crypto_finalize_aead_request(jrp->engine, req, ecode); -- 2.1.0