From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Iuliana Prodan" <iuliana.prodan@nxp.com>,
"Horia Geantă" <horia.geanta@nxp.com>,
"Herbert Xu" <herbert@gondor.apana.org.au>
Subject: [PATCH 5.6 22/73] crypto: caam - fix the address of the last entry of S/G
Date: Mon, 4 May 2020 19:57:25 +0200 [thread overview]
Message-ID: <20200504165505.854835441@linuxfoundation.org> (raw)
In-Reply-To: <20200504165501.781878940@linuxfoundation.org>
From: Iuliana Prodan <iuliana.prodan@nxp.com>
commit 55b3209acbb01cb02b1ee6b1afe80d83b1aab36d upstream.
For skcipher algorithms, the input, output HW S/G tables
look like this: [IV, src][dst, IV]
Now, we can have 2 conditions here:
- there is no IV;
- src and dst are equal (in-place encryption) and scattered
and the error is an "off-by-one" in the HW S/G table.
This issue was seen with KASAN:
BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018
Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321
CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted
5.6.0-rc1-00165-ge4ef8383-dirty #4
Hardware name: LS1046A RDB Board (DT)
Call trace:
dump_backtrace+0x0/0x260
show_stack+0x14/0x20
dump_stack+0xe8/0x144
print_address_description.isra.11+0x64/0x348
__kasan_report+0x11c/0x230
kasan_report+0xc/0x18
__asan_load4+0x90/0xb0
skcipher_edesc_alloc+0x95c/0x1018
skcipher_encrypt+0x84/0x150
crypto_skcipher_encrypt+0x50/0x68
test_skcipher_vec_cfg+0x4d4/0xc10
test_skcipher_vec+0x178/0x1d8
alg_test_skcipher+0xec/0x230
alg_test.part.44+0x114/0x4a0
alg_test+0x1c/0x60
cryptomgr_test+0x34/0x58
kthread+0x1b8/0x1c0
ret_from_fork+0x10/0x18
Allocated by task 321:
save_stack+0x24/0xb0
__kasan_kmalloc.isra.10+0xc4/0xe0
kasan_kmalloc+0xc/0x18
__kmalloc+0x178/0x2b8
skcipher_edesc_alloc+0x21c/0x1018
skcipher_encrypt+0x84/0x150
crypto_skcipher_encrypt+0x50/0x68
test_skcipher_vec_cfg+0x4d4/0xc10
test_skcipher_vec+0x178/0x1d8
alg_test_skcipher+0xec/0x230
alg_test.part.44+0x114/0x4a0
alg_test+0x1c/0x60
cryptomgr_test+0x34/0x58
kthread+0x1b8/0x1c0
ret_from_fork+0x10/0x18
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff000022a02800
which belongs to the cache dma-kmalloc-512 of size 512
The buggy address is located 344 bytes inside of
512-byte region [ffff000022a02800, ffff000022a02a00)
The buggy address belongs to the page:
page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400
index:0x0 compound_mapcount: 0
flags: 0xffff00000010200(slab|head)
raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
^
ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
Cc: <stable@vger.kernel.org> # v5.3+
Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/caam/caamalg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/caam/caamalg.c
+++ b/drivers/crypto/caam/caamalg.c
@@ -1791,7 +1791,7 @@ static struct skcipher_edesc *skcipher_e
if (ivsize || mapped_dst_nents > 1)
sg_to_sec4_set_last(edesc->sec4_sg + dst_sg_idx +
- mapped_dst_nents);
+ mapped_dst_nents - 1 + !!ivsize);
if (sec4_sg_bytes) {
edesc->sec4_sg_dma = dma_map_single(jrdev, edesc->sec4_sg,
next prev parent reply other threads:[~2020-05-04 18:05 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-04 17:57 [PATCH 5.6 00/73] 5.6.11-rc1 review Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 01/73] drm/scheduler: fix drm_sched_get_cleanup_job Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 02/73] dma-buf: Fix SET_NAME ioctl uapi Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 03/73] drm/amdgpu: invalidate L2 before SDMA IBs (v2) Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 04/73] drm/edid: Fix off-by-one in DispID DTD pixel clock Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 05/73] drm/amd/display: Fix green screen issue after suspend Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 06/73] drm/i915/gem: Hold obj->vma.lock over for_each_ggtt_vma() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 07/73] drm/i915/gt: Check cacheline is valid before acquiring Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 08/73] drm/qxl: qxl_release leak in qxl_draw_dirty_fb() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 09/73] drm/qxl: qxl_release leak in qxl_hw_surface_alloc() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 10/73] drm/qxl: qxl_release use after free Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 11/73] NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 12/73] btrfs: fix transaction leak in btrfs_recover_relocation Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 13/73] btrfs: fix block group leak when removing fails Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 14/73] btrfs: fix partial loss of prealloc extent past i_size after fsync Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 15/73] btrfs: transaction: Avoid deadlock due to bad initialization timing of fs_info::journal_info Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 16/73] mmc: cqhci: Avoid false "cqhci: CQE stuck on" by not open-coding timeout loop Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 17/73] mmc: sdhci-xenon: fix annoying 1.8V regulator warning Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 18/73] mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 19/73] mmc: sdhci-msm: Enable host capabilities pertains to R1b response Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 20/73] mmc: meson-mx-sdio: Set MMC_CAP_WAIT_WHILE_BUSY Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 21/73] mmc: meson-mx-sdio: remove the broken ->card_busy() op Greg Kroah-Hartman
2020-05-04 17:57 ` Greg Kroah-Hartman [this message]
2020-05-04 17:57 ` [PATCH 5.6 23/73] ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 24/73] ALSA: usb-audio: Correct a typo of NuPrime DAC-10 USB ID Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 25/73] ALSA: hda/hdmi: fix without unlocked before return Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 26/73] ALSA: line6: Fix POD HD500 audio playback Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 27/73] ALSA: pcm: oss: Place the plugin buffer overflow checks correctly Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 28/73] i2c: amd-mp2-pci: Fix Oops in amd_mp2_pci_init() error handling Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 29/73] x86/hyperv: Suspend/resume the VP assist page for hibernation Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 30/73] Drivers: hv: vmbus: Fix Suspend-to-Idle for Generation-2 VM Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 31/73] dlmfs_file_write(): fix the bogosity in handling non-zero *ppos Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 32/73] selinux: properly handle multiple messages in selinux_netlink_send() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 33/73] IB/rdmavt: Always return ERR_PTR from rvt_create_mmap_info() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 34/73] PM: ACPI: Output correct message on target power state Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 35/73] PM: hibernate: Freeze kernel threads in software_resume() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 36/73] dm verity fec: fix hash block number in verity_fec_decode Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 37/73] dm writecache: fix data corruption when reloading the target Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 38/73] dm multipath: use updated MPATHF_QUEUE_IO on mapping for bio-based mpath Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 39/73] ARM: dts: imx6qdl-sr-som-ti: indicate powering off wifi is safe Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 40/73] block: remove the bd_openers checks in blk_drop_partitions Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 41/73] scsi: qla2xxx: set UNLOADING before waiting for session deletion Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 42/73] scsi: qla2xxx: check UNLOADING before posting async work Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 43/73] RDMA/mlx5: Set GRH fields in query QP on RoCE Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 44/73] RDMA/uverbs: Fix a race with disassociate and exit_mmap() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 45/73] RDMA/mlx4: Initialize ib_spec on the stack Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 46/73] RDMA/siw: Fix potential siw_mem refcnt leak in siw_fastreg_mr() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 47/73] RDMA/core: Prevent mixed use of FDs between shared ufiles Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 48/73] RDMA/core: Fix overwriting of uobj in case of error Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 49/73] RDMA/core: Fix race between destroy and release FD object Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 50/73] RDMA/cm: Fix ordering of xa_alloc_cyclic() in ib_create_cm_id() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 51/73] RDMA/cm: Fix an error check in cm_alloc_id_priv() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 52/73] i2c: iproc: generate stop event for slave writes Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 53/73] dmaengine: hisilicon: Fix build error without PCI_MSI Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 54/73] vfio: avoid possible overflow in vfio_iommu_type1_pin_pages Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 55/73] vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() Greg Kroah-Hartman
2020-05-04 17:57 ` [PATCH 5.6 56/73] iommu/qcom: Fix local_base status check Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 57/73] dmaengine: ti: k3-psil: fix deadlock on error path Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 58/73] dmaengine: fix channel index enumeration Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 59/73] scsi: target/iblock: fix WRITE SAME zeroing Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 60/73] iommu: Properly export iommu_group_get_for_dev() Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 61/73] iommu/vt-d: Use right Kconfig option name Greg Kroah-Hartman
2020-05-04 19:42 ` Joe Perches
2020-05-04 19:42 ` Joe Perches
2020-05-04 17:58 ` [PATCH 5.6 62/73] iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 63/73] i2c: aspeed: Avoid i2c interrupt status clear race condition Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 64/73] ALSA: opti9xx: shut up gcc-10 range warning Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 65/73] Fix use after free in get_tree_bdev() Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 66/73] nvme: prevent double free in nvme_alloc_ns() error handling Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 67/73] drm/i915/selftests: Fix i915_address_space refcnt leak Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 68/73] nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 69/73] dmaengine: dmatest: Fix iteration non-stop logic Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 70/73] drm/i915: Use proper fault mask in interrupt postinstall too Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 71/73] dmaengine: dmatest: Fix process hang when reading wait parameter Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 72/73] arm64: vdso: Add -fasynchronous-unwind-tables to cflags Greg Kroah-Hartman
2020-05-04 17:58 ` [PATCH 5.6 73/73] io_uring: statx must grab the file table for valid fd Greg Kroah-Hartman
[not found] ` <20200504165501.781878940-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2020-05-05 8:38 ` [PATCH 5.6 00/73] 5.6.11-rc1 review Jon Hunter
2020-05-05 8:38 ` Jon Hunter
[not found] ` <f3d40fc3-1c82-5395-e96b-65e7ba9cbfc9-DDmLM1+adcrQT0dZR+AlfA@public.gmane.org>
2020-05-05 9:18 ` Greg Kroah-Hartman
2020-05-05 9:18 ` Greg Kroah-Hartman
2020-05-05 14:27 ` Naresh Kamboju
2020-05-05 18:12 ` Greg Kroah-Hartman
2020-05-05 15:25 ` shuah
2020-05-05 15:30 ` shuah
2020-05-05 15:36 ` Takashi Iwai
2020-05-05 15:43 ` shuah
2020-05-05 16:19 ` shuah
2020-05-05 16:59 ` Greg Kroah-Hartman
2020-05-05 15:45 ` Guenter Roeck
2020-05-05 18:12 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200504165505.854835441@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=iuliana.prodan@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.