diff options
author | Patrick McHardy <kaber@trash.net> | 2008-05-08 07:27:47 -0400 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2008-07-10 08:35:12 -0400 |
commit | a558f1d4f8730f055b004b4c8ca1605aeb957daa (patch) | |
tree | 244ca2967ce2f0004ca46905b6c4eba927a7774d | |
parent | 692af5da779e018fc6a3b480b67adb33e3c6e1f0 (diff) |
[CRYPTO] tcrypt: Catch cipher destination memory corruption
Check whether the destination buffer is written to beyond the last
byte contained in the scatterlist.
Also change IDX1 of the cross-page access offsets to a multiple of 4.
This triggers a corruption in the HIFN driver and doesn't seem to
negatively impact other testcases.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | crypto/tcrypt.c | 26 |
1 files changed, 21 insertions, 5 deletions
diff --git a/crypto/tcrypt.c b/crypto/tcrypt.c index 285c093abb72..69eb29e1a53b 100644 --- a/crypto/tcrypt.c +++ b/crypto/tcrypt.c | |||
@@ -39,7 +39,7 @@ | |||
39 | /* | 39 | /* |
40 | * Indexes into the xbuf to simulate cross-page access. | 40 | * Indexes into the xbuf to simulate cross-page access. |
41 | */ | 41 | */ |
42 | #define IDX1 37 | 42 | #define IDX1 32 |
43 | #define IDX2 32400 | 43 | #define IDX2 32400 |
44 | #define IDX3 1 | 44 | #define IDX3 1 |
45 | #define IDX4 8193 | 45 | #define IDX4 8193 |
@@ -211,7 +211,7 @@ out: | |||
211 | static void test_aead(char *algo, int enc, struct aead_testvec *template, | 211 | static void test_aead(char *algo, int enc, struct aead_testvec *template, |
212 | unsigned int tcount) | 212 | unsigned int tcount) |
213 | { | 213 | { |
214 | unsigned int ret, i, j, k, temp; | 214 | unsigned int ret, i, j, k, n, temp; |
215 | char *q; | 215 | char *q; |
216 | struct crypto_aead *tfm; | 216 | struct crypto_aead *tfm; |
217 | char *key; | 217 | char *key; |
@@ -353,7 +353,6 @@ next_one: | |||
353 | } | 353 | } |
354 | 354 | ||
355 | printk(KERN_INFO "\ntesting %s %s across pages (chunking)\n", algo, e); | 355 | printk(KERN_INFO "\ntesting %s %s across pages (chunking)\n", algo, e); |
356 | memset(xbuf, 0, XBUFSIZE); | ||
357 | memset(axbuf, 0, XBUFSIZE); | 356 | memset(axbuf, 0, XBUFSIZE); |
358 | 357 | ||
359 | for (i = 0, j = 0; i < tcount; i++) { | 358 | for (i = 0, j = 0; i < tcount; i++) { |
@@ -381,6 +380,7 @@ next_one: | |||
381 | goto out; | 380 | goto out; |
382 | } | 381 | } |
383 | 382 | ||
383 | memset(xbuf, 0, XBUFSIZE); | ||
384 | sg_init_table(sg, template[i].np); | 384 | sg_init_table(sg, template[i].np); |
385 | for (k = 0, temp = 0; k < template[i].np; k++) { | 385 | for (k = 0, temp = 0; k < template[i].np; k++) { |
386 | memcpy(&xbuf[IDX[k]], | 386 | memcpy(&xbuf[IDX[k]], |
@@ -452,6 +452,14 @@ next_one: | |||
452 | 0 : authsize)) ? | 452 | 0 : authsize)) ? |
453 | "fail" : "pass"); | 453 | "fail" : "pass"); |
454 | 454 | ||
455 | for (n = 0; q[template[i].tap[k] + n]; n++) | ||
456 | ; | ||
457 | if (n) { | ||
458 | printk("Result buffer corruption %u " | ||
459 | "bytes:\n", n); | ||
460 | hexdump(&q[template[i].tap[k]], n); | ||
461 | } | ||
462 | |||
455 | temp += template[i].tap[k]; | 463 | temp += template[i].tap[k]; |
456 | kunmap(sg_page(&sg[k])); | 464 | kunmap(sg_page(&sg[k])); |
457 | } | 465 | } |
@@ -466,7 +474,7 @@ out: | |||
466 | static void test_cipher(char *algo, int enc, | 474 | static void test_cipher(char *algo, int enc, |
467 | struct cipher_testvec *template, unsigned int tcount) | 475 | struct cipher_testvec *template, unsigned int tcount) |
468 | { | 476 | { |
469 | unsigned int ret, i, j, k, temp; | 477 | unsigned int ret, i, j, k, n, temp; |
470 | char *q; | 478 | char *q; |
471 | struct crypto_ablkcipher *tfm; | 479 | struct crypto_ablkcipher *tfm; |
472 | struct ablkcipher_request *req; | 480 | struct ablkcipher_request *req; |
@@ -574,7 +582,6 @@ static void test_cipher(char *algo, int enc, | |||
574 | } | 582 | } |
575 | 583 | ||
576 | printk("\ntesting %s %s across pages (chunking)\n", algo, e); | 584 | printk("\ntesting %s %s across pages (chunking)\n", algo, e); |
577 | memset(xbuf, 0, XBUFSIZE); | ||
578 | 585 | ||
579 | j = 0; | 586 | j = 0; |
580 | for (i = 0; i < tcount; i++) { | 587 | for (i = 0; i < tcount; i++) { |
@@ -589,6 +596,7 @@ static void test_cipher(char *algo, int enc, | |||
589 | printk("test %u (%d bit key):\n", | 596 | printk("test %u (%d bit key):\n", |
590 | j, template[i].klen * 8); | 597 | j, template[i].klen * 8); |
591 | 598 | ||
599 | memset(xbuf, 0, XBUFSIZE); | ||
592 | crypto_ablkcipher_clear_flags(tfm, ~0); | 600 | crypto_ablkcipher_clear_flags(tfm, ~0); |
593 | if (template[i].wk) | 601 | if (template[i].wk) |
594 | crypto_ablkcipher_set_flags( | 602 | crypto_ablkcipher_set_flags( |
@@ -648,6 +656,14 @@ static void test_cipher(char *algo, int enc, | |||
648 | memcmp(q, template[i].result + temp, | 656 | memcmp(q, template[i].result + temp, |
649 | template[i].tap[k]) ? "fail" : | 657 | template[i].tap[k]) ? "fail" : |
650 | "pass"); | 658 | "pass"); |
659 | |||
660 | for (n = 0; q[template[i].tap[k] + n]; n++) | ||
661 | ; | ||
662 | if (n) { | ||
663 | printk("Result buffer corruption %u " | ||
664 | "bytes:\n", n); | ||
665 | hexdump(&q[template[i].tap[k]], n); | ||
666 | } | ||
651 | temp += template[i].tap[k]; | 667 | temp += template[i].tap[k]; |
652 | kunmap(sg_page(&sg[k])); | 668 | kunmap(sg_page(&sg[k])); |
653 | } | 669 | } |