diff options
| author | Russell King <rmk+kernel@arm.linux.org.uk> | 2015-10-09 15:43:43 -0400 |
|---|---|---|
| committer | Herbert Xu <herbert@gondor.apana.org.au> | 2015-10-14 10:23:18 -0400 |
| commit | e72f407ee793f1455051cfa834e758afca09e4f6 (patch) | |
| tree | 28dd30c50cc6587bcf4475a6b2dab2536fa00678 /drivers/crypto | |
| parent | 9f5594c91e7cf5952ce39aff8b88c95a19a27e06 (diff) | |
crypto: marvell/cesa - initialise struct mv_cesa_ahash_req
When a AF_ALG fd is accepted a second time (hence hash_accept() is
used), hash_accept_parent() allocates a new private context using
sock_kmalloc(). This context is uninitialised. After use of the new
fd, we eventually end up with the kernel complaining:
marvell-cesa f1090000.crypto: dma_pool_free cesa_padding, c0627770/0 (bad dma)
where c0627770 is a random address. Poisoning the memory allocated by
the above sock_kmalloc() produces kernel oopses within the marvell hash
code, particularly the interrupt handling.
The following simplfied call sequence occurs:
hash_accept()
crypto_ahash_export()
marvell hash export function
af_alg_accept()
hash_accept_parent() <== allocates uninitialised struct hash_ctx
crypto_ahash_import()
marvell hash import function
hash_ctx contains the struct mv_cesa_ahash_req in its req.__ctx member,
and, as the marvell hash import function only partially initialises
this structure, we end up with a lot of members which are left with
whatever data was in memory prior to sock_kmalloc().
Add zero-initialisation of this structure.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Acked-by: Boris Brezillon <boris.brezillon@free-electronc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'drivers/crypto')
| -rw-r--r-- | drivers/crypto/marvell/hash.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/drivers/crypto/marvell/hash.c b/drivers/crypto/marvell/hash.c index aa18324d09e3..13bbf7cea072 100644 --- a/drivers/crypto/marvell/hash.c +++ b/drivers/crypto/marvell/hash.c | |||
| @@ -833,6 +833,10 @@ static int mv_cesa_md5_import(struct ahash_request *req, const void *in) | |||
| 833 | unsigned int cache_ptr; | 833 | unsigned int cache_ptr; |
| 834 | int ret; | 834 | int ret; |
| 835 | 835 | ||
| 836 | ret = crypto_ahash_init(req); | ||
| 837 | if (ret) | ||
| 838 | return ret; | ||
| 839 | |||
| 836 | creq->len = in_state->byte_count; | 840 | creq->len = in_state->byte_count; |
| 837 | memcpy(creq->state, in_state->hash, digsize); | 841 | memcpy(creq->state, in_state->hash, digsize); |
| 838 | creq->cache_ptr = 0; | 842 | creq->cache_ptr = 0; |
| @@ -923,6 +927,10 @@ static int mv_cesa_sha1_import(struct ahash_request *req, const void *in) | |||
| 923 | unsigned int cache_ptr; | 927 | unsigned int cache_ptr; |
| 924 | int ret; | 928 | int ret; |
| 925 | 929 | ||
| 930 | ret = crypto_ahash_init(req); | ||
| 931 | if (ret) | ||
| 932 | return ret; | ||
| 933 | |||
| 926 | creq->len = in_state->count; | 934 | creq->len = in_state->count; |
| 927 | memcpy(creq->state, in_state->state, digsize); | 935 | memcpy(creq->state, in_state->state, digsize); |
| 928 | creq->cache_ptr = 0; | 936 | creq->cache_ptr = 0; |
| @@ -1024,6 +1032,10 @@ static int mv_cesa_sha256_import(struct ahash_request *req, const void *in) | |||
| 1024 | unsigned int cache_ptr; | 1032 | unsigned int cache_ptr; |
| 1025 | int ret; | 1033 | int ret; |
| 1026 | 1034 | ||
| 1035 | ret = crypto_ahash_init(req); | ||
| 1036 | if (ret) | ||
| 1037 | return ret; | ||
| 1038 | |||
| 1027 | creq->len = in_state->count; | 1039 | creq->len = in_state->count; |
| 1028 | memcpy(creq->state, in_state->state, digsize); | 1040 | memcpy(creq->state, in_state->state, digsize); |
| 1029 | creq->cache_ptr = 0; | 1041 | creq->cache_ptr = 0; |