Hello
I have a problem when using a simple md5 tfm.
When I use the data that ahash_request_ctx() give me, it will cause random crash when removing the module later.
I do not understand it, because .cra_ctxsize seems to be rightly used.
The very simplified POC code will follow, it register a fake md5 implementation.
If I remove the op->mode = 0, I can modprobe/rmmod for ever without problem.
With it, rmmod will segfault in 2 or 3 tries, so it is this write that is the source of the problem.
I have try to debug, but I cannot find where __ctx (the pointer returned by ahash_request_ctx) is allocated.
Does I am right when saying: ahash_request_ctx() return the pointer to a structure of size equal to cra_ctxsize allocated for each request ?
Thanks in advance
Best regards
#include <linux/clk.h>
#include <linux/crypto.h>
#include <linux/io.h>
#include <linux/module.h>
#include <linux/of.h>
#include <linux/platform_device.h>
#include <crypto/scatterwalk.h>
#include <linux/scatterlist.h>
#include <linux/interrupt.h>
#include <linux/delay.h>
#include <crypto/md5.h>
#include <crypto/sha.h>
#include <crypto/hash.h>
#include <crypto/internal/hash.h>
struct sunxi_req_ctx {
u8 key[32 * 8];
u32 keylen;
u32 mode;
u64 byte_count;
u32 waitbuf;
unsigned int nbwait;
};
int fake_init(struct ahash_request *areq) {
struct sunxi_req_ctx *op = ahash_request_ctx(areq);
/* this is the location of action that cause the crash */
op->mode = 0;
op->nbwait = 0;
return 0;
}
int fake_update(struct ahash_request *areq) {
return 0;
}
int fake_final(struct ahash_request *areq) {
return 0;
}
int fake_finup(struct ahash_request *areq) {
fake_init(areq);
return 0;
}
int fake_digest(struct ahash_request *areq) {
fake_init(areq);
return 0;
}
static struct ahash_alg sunxi_md5_alg = {
.init = fake_init,
.update = fake_update,
.final = fake_final,
.finup = fake_finup,
.digest = fake_digest,
.halg = {
.digestsize = MD5_DIGEST_SIZE,
.base = {
.cra_name = "md5",
.cra_driver_name = "md5-sunxi-ss",
.cra_priority = 300,
.cra_alignmask = 3,
.cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_ASYNC,
.cra_blocksize = MD5_HMAC_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct sunxi_req_ctx),
.cra_module = THIS_MODULE,
.cra_type = &crypto_ahash_type
}
}
};
static int sunxi_ss_md5_init(void)
{
int err = 0;
err = crypto_register_ahash(&sunxi_md5_alg);
if (err)
pr_err("crypto_register_alg error for MD5\n");
else
pr_info("Registred MD5\n");
return err;
}
static void __exit sunxi_ss_md5_exit(void)
{
crypto_unregister_ahash(&sunxi_md5_alg);
}
module_init(sunxi_ss_md5_init);
module_exit(sunxi_ss_md5_exit);
MODULE_DESCRIPTION("test MD5 module");
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Corentin LABBE <[email protected]>");
On Wednesday, May 28, 2014 at 12:01:09 PM, Corentin LABBE wrote:
> Hello
>
> I have a problem when using a simple md5 tfm.
> When I use the data that ahash_request_ctx() give me, it will cause random
> crash when removing the module later. I do not understand it, because
> .cra_ctxsize seems to be rightly used.
>
> The very simplified POC code will follow, it register a fake md5
> implementation. If I remove the op->mode = 0, I can modprobe/rmmod for
> ever without problem. With it, rmmod will segfault in 2 or 3 tries, so it
> is this write that is the source of the problem.
>
> I have try to debug, but I cannot find where __ctx (the pointer returned by
> ahash_request_ctx) is allocated.
>
> Does I am right when saying: ahash_request_ctx() return the pointer to a
> structure of size equal to cra_ctxsize allocated for each request ?
crypto_tfm_ctx() returns per-transformation instance (tfm) private data
ahash_request_ctx() returns per-request private data
You need to configure the request context size via crypto_ahash_set_reqsize() in
the implementations' .cra_init() callback .
[...]
static int my_cra_init(struct crypto_tfm *tfm)
{
crypto_ahash_set_reqsize(__crypto_ahash_cast(tfm),
sizeof(struct my_per_request_private_data));
return 0;
}
> static struct ahash_alg sunxi_md5_alg = {
> .init = fake_init,
> .update = fake_update,
> .final = fake_final,
> .finup = fake_finup,
> .digest = fake_digest,
> .halg = {
> .digestsize = MD5_DIGEST_SIZE,
> .base = {
> .cra_name = "md5",
> .cra_driver_name = "md5-sunxi-ss",
> .cra_priority = 300,
> .cra_alignmask = 3,
> .cra_flags = CRYPTO_ALG_TYPE_AHASH | CRYPTO_ALG_ASYNC,
> .cra_blocksize = MD5_HMAC_BLOCK_SIZE,
> .cra_ctxsize = sizeof(struct sunxi_req_ctx),
> .cra_module = THIS_MODULE,
> .cra_type = &crypto_ahash_type
.cra_init = my_cra_init,
> }
> }
> };
>
> static int sunxi_ss_md5_init(void)
> {
> int err = 0;
> err = crypto_register_ahash(&sunxi_md5_alg);
> if (err)
> pr_err("crypto_register_alg error for MD5\n");
> else
> pr_info("Registred MD5\n");
> return err;
> }
>
> static void __exit sunxi_ss_md5_exit(void)
> {
> crypto_unregister_ahash(&sunxi_md5_alg);
> }
>
> module_init(sunxi_ss_md5_init);
> module_exit(sunxi_ss_md5_exit);
module_platform_driver() here please, fix it up so this is a platform driver.