2011-05-23 23:46:34

by Kim Phillips

[permalink] [raw]
Subject: [PATCH] crypto: caam - fix operator precedence in shared descriptor allocation

setkey allocates 16 bytes (CAAM_CMD_SZ *
DESC_AEAD_SHARED_TEXT_LEN) shy of what is needed to
store the shared descriptor, resulting in memory
corruption. Fix this.

Signed-off-by: Kim Phillips <[email protected]>
---
Bug introduced in commit 4427b1b - "crypto: caam - add support for
sha512 variants of existing AEAD algorithms".

drivers/crypto/caam/caamalg.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c
index d0e65d6..676d957 100644
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -238,9 +238,9 @@ static int build_sh_desc_ipsec(struct caam_ctx *ctx)

/* build shared descriptor for this session */
sh_desc = kmalloc(CAAM_CMD_SZ * DESC_AEAD_SHARED_TEXT_LEN +
- keys_fit_inline ?
- ctx->split_key_pad_len + ctx->enckeylen :
- CAAM_PTR_SZ * 2, GFP_DMA | GFP_KERNEL);
+ (keys_fit_inline ?
+ ctx->split_key_pad_len + ctx->enckeylen :
+ CAAM_PTR_SZ * 2), GFP_DMA | GFP_KERNEL);
if (!sh_desc) {
dev_err(jrdev, "could not allocate shared descriptor\n");
return -ENOMEM;
--
1.7.5.1


2011-05-26 03:30:46

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH] crypto: caam - fix operator precedence in shared descriptor allocation

On Mon, May 23, 2011 at 06:45:23PM -0500, Kim Phillips wrote:
> setkey allocates 16 bytes (CAAM_CMD_SZ *
> DESC_AEAD_SHARED_TEXT_LEN) shy of what is needed to
> store the shared descriptor, resulting in memory
> corruption. Fix this.
>
> Signed-off-by: Kim Phillips <[email protected]>

Applied to cryptodev. Thanks Kim!
--
Email: Herbert Xu <[email protected]r.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

2011-06-29 16:12:55

by Kim Phillips

[permalink] [raw]
Subject: Re: [PATCH] crypto: caam - fix operator precedence in shared descriptor allocation

On Thu, 26 May 2011 13:30:44 +1000
Herbert Xu <[email protected]> wrote:

> On Mon, May 23, 2011 at 06:45:23PM -0500, Kim Phillips wrote:
> > setkey allocates 16 bytes (CAAM_CMD_SZ *
> > DESC_AEAD_SHARED_TEXT_LEN) shy of what is needed to
> > store the shared descriptor, resulting in memory
> > corruption. Fix this.
> >
> > Signed-off-by: Kim Phillips <[email protected]>
>
> Applied to cryptodev. Thanks Kim!

Herbert, this patch fixes a memory corruption bug introduced in
commit 4427b1b - "crypto: caam - add support for sha512 variants of
existing AEAD algorithms", which is currently the last commit for
caam in Linus' tree. Can you please push this commit (c5bf900 in
cryptodev) to Linus before he releases 3.0?

btw, it would be good if commit af56dea "crypto: caam - fix build
warning when DEBUG_FS not configured" were also pushed to avoid the
build-bot messages, but it's not nearly as important as this one.

Thanks,

Kim

2011-06-29 23:45:09

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH] crypto: caam - fix operator precedence in shared descriptor allocation

On Wed, Jun 29, 2011 at 11:12:26AM -0500, Kim Phillips wrote:
> On Thu, 26 May 2011 13:30:44 +1000
> Herbert Xu <[email protected]> wrote:
>
> > On Mon, May 23, 2011 at 06:45:23PM -0500, Kim Phillips wrote:
> > > setkey allocates 16 bytes (CAAM_CMD_SZ *
> > > DESC_AEAD_SHARED_TEXT_LEN) shy of what is needed to
> > > store the shared descriptor, resulting in memory
> > > corruption. Fix this.
> > >
> > > Signed-off-by: Kim Phillips <[email protected]>
> >
> > Applied to cryptodev. Thanks Kim!
>
> Herbert, this patch fixes a memory corruption bug introduced in
> commit 4427b1b - "crypto: caam - add support for sha512 variants of
> existing AEAD algorithms", which is currently the last commit for
> caam in Linus' tree. Can you please push this commit (c5bf900 in
> cryptodev) to Linus before he releases 3.0?

Thanks for the note. I'll push this patch to crypto-2.6 and rebase
cryptodev.

Cheers,
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt