2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-01 00:54:15 +08:00
linux-next/drivers/crypto
Longpeng(Mike) 8c855f0720 crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req()
The system'll crash when the users insmod crypto/tcrypto.ko with mode=155
( testing "authenc(hmac(sha1),cbc(aes))" ). It's caused by reuse the memory
of request structure.

In crypto_authenc_init_tfm(), the reqsize is set to:
  [PART 1] sizeof(authenc_request_ctx) +
  [PART 2] ictx->reqoff +
  [PART 3] MAX(ahash part, skcipher part)
and the 'PART 3' is used by both ahash and skcipher in turn.

When the virtio_crypto driver finish skcipher req, it'll call ->complete
callback(in crypto_finalize_skcipher_request) and then free its
resources whose pointers are recorded in 'skcipher parts'.

However, the ->complete is 'crypto_authenc_encrypt_done' in this case,
it will use the 'ahash part' of the request and change its content,
so virtio_crypto driver will get the wrong pointer after ->complete
finish and mistakenly free some other's memory. So the system will crash
when these memory will be used again.

The resources which need to be cleaned up are not used any more. But the
pointers of these resources may be changed in the function
"crypto_finalize_skcipher_request". Thus release specific resources before
calling this function.

Fixes: dbaf0624ff ("crypto: add virtio-crypto driver")
Reported-by: LABBE Corentin <clabbe@baylibre.com>
Cc: Gonglei <arei.gonglei@huawei.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: virtualization@lists.linux-foundation.org
Cc: linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200123101000.GB24255@Red
Acked-by: Gonglei <arei.gonglei@huawei.com>
Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com>
Link: https://lore.kernel.org/r/20200602070501.2023-3-longpeng2@huawei.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
2020-06-04 15:36:51 -04:00
..
allwinner crypto: sun8i-ce - fix description of stat_fb 2020-03-06 12:28:21 +11:00
amcc crypto: crypto4xx - use GFP_KERNEL for big allocations 2020-01-09 11:30:53 +08:00
amlogic crypto: amlogic - fix removal of module 2020-01-16 15:18:12 +08:00
axis crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
bcm crypto: bcm - Use scnprintf() for avoiding potential buffer overflow 2020-03-20 14:36:51 +11:00
caam crypto: caam - fix the address of the last entry of S/G 2020-04-16 16:48:56 +10:00
cavium crypto: Replace zero-length array with flexible-array member 2020-03-06 12:28:21 +11:00
ccp crypto: ccp - use file mode for sev ioctl permissions 2020-03-12 23:00:15 +11:00
ccree crypto: ccree - remove duplicated include from cc_aead.c 2020-03-30 11:50:48 +11:00
chelsio crypto: chelsio/chtls: properly set tp->lsndtime 2020-05-26 23:24:00 -07:00
hisilicon crypto: hisilicon - Fix build error 2020-04-03 15:37:26 +11:00
inside-secure crypto: remove propagation of CRYPTO_TFM_RES_* flags 2020-01-09 11:30:53 +08:00
marvell crypto: marvell/octeontx - fix double free of ptr 2020-04-03 15:37:26 +11:00
mediatek crypto: Replace zero-length array with flexible-array member 2020-03-06 12:28:21 +11:00
nx crypto: Replace zero-length array with flexible-array member 2020-03-06 12:28:21 +11:00
qat crypto: qat - simplify the qat_crypto function 2020-03-12 23:00:13 +11:00
qce crypto: qce - fix wrong config symbol reference 2020-03-12 23:00:13 +11:00
rockchip crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
stm32 crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
ux500 crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
virtio crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req() 2020-06-04 15:36:51 -04:00
vmx .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
xilinx crypto: xilinx - Add Xilinx AES driver 2020-02-28 08:36:46 +08:00
atmel-aes-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-aes.c crypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data 2020-01-22 16:21:09 +08:00
atmel-authenc.h crypto: remove propagation of CRYPTO_TFM_RES_* flags 2020-01-09 11:30:53 +08:00
atmel-ecc.c crypto: atmel-ecc - factor out code that can be shared 2019-05-30 15:35:45 +08:00
atmel-i2c.c crypto: atmel-i2c - Fix wakeup fail 2020-03-20 14:36:51 +11:00
atmel-i2c.h crypto: atmel - Fix -Wunused-const-variable warning 2019-08-30 18:05:31 +10:00
atmel-sha204a.c crypto: atmel-sha204a - Use device-managed registration API 2019-08-02 14:43:59 +10:00
atmel-sha-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-sha.c crypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data 2020-01-22 16:21:09 +08:00
atmel-tdes-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-tdes.c crypto: atmel-{aes,sha,tdes} - Retire crypto_platform_data 2020-01-22 16:21:09 +08:00
exynos-rng.c crypto: exynos - use devm_platform_ioremap_resource() to simplify code 2019-08-09 15:11:59 +10:00
geode-aes.c crypto: remove propagation of CRYPTO_TFM_RES_* flags 2020-01-09 11:30:53 +08:00
geode-aes.h crypto: geode-aes - convert to skcipher API and make thread-safe 2019-10-23 19:46:56 +11:00
hifn_795x.c remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
img-hash.c crypto: img-hash - Replace zero-length array with flexible-array member 2020-02-22 09:25:48 +08:00
ixp4xx_crypto.c crypto: remove CRYPTO_TFM_RES_WEAK_KEY 2020-01-09 11:30:53 +08:00
Kconfig crypto: marvell - create common Kconfig and Makefile for Marvell 2020-03-20 14:36:51 +11:00
Makefile crypto: marvell - create common Kconfig and Makefile for Marvell 2020-03-20 14:36:51 +11:00
mxs-dcp.c crypto: mxs-dcp - fix scatterlist linearization for hash 2020-03-06 12:28:21 +11:00
n2_asm.S License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
n2_core.c crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
n2_core.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
omap-aes-gcm.c crypto: omap-aes-gcm - convert to use crypto engine 2019-12-11 16:37:00 +08:00
omap-aes.c crypto: omap-aes-gcm - convert to use crypto engine 2019-12-11 16:37:00 +08:00
omap-aes.h crypto: omap-aes-gcm - convert to use crypto engine 2019-12-11 16:37:00 +08:00
omap-crypto.c crypto: omap-crypto - copy the temporary data to output buffer properly 2019-12-11 16:37:00 +08:00
omap-crypto.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
omap-des.c crypto: omap-des - handle NULL cipher request 2019-12-11 16:37:00 +08:00
omap-sham.c crypto: Replace zero-length array with flexible-array member 2020-03-06 12:28:21 +11:00
padlock-aes.c crypto: Convert to new CPU match macros 2020-03-24 21:36:06 +01:00
padlock-sha.c crypto: Convert to new CPU match macros 2020-03-24 21:36:06 +01:00
picoxcell_crypto_regs.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 156 2019-05-30 11:26:35 -07:00
picoxcell_crypto.c crypto: remove propagation of CRYPTO_TFM_RES_* flags 2020-01-09 11:30:53 +08:00
qcom-rng.c crypto: qcom-rng - use devm_platform_ioremap_resource() to simplify code 2019-08-09 15:12:03 +10:00
s5p-sss.c crypto: s5p-sss - Replace zero-length array with flexible-array member 2020-02-22 09:25:48 +08:00
sahara.c crypto: remove propagation of CRYPTO_TFM_RES_* flags 2020-01-09 11:30:53 +08:00
talitos.c crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN 2020-01-09 11:30:53 +08:00
talitos.h crypto: talitos - drop icv_ool 2019-07-03 22:13:11 +08:00