lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 20 Jul 2017 09:37:10 +0200
From:   Arnd Bergmann <arnd@...db.de>
To:     Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        David Miller <davem@...emloft.net>,
        linux-crypto@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] crypto: ixp4xx - Fix error handling path in 'aead_perform()'

On Wed, Jul 19, 2017 at 11:47 PM, Christophe JAILLET
<christophe.jaillet@...adoo.fr> wrote:
> In commit 0f987e25cb8a, the source processing has been moved in front of
> the destination processing, but the error handling path has not been
> modified accordingly.
> Free resources in the correct order to avoid some leaks.
>
> Fixes: 0f987e25cb8a ("crypto: ixp4xx - Fix false lastlen uninitialised warning")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>

Thanks for spotting my mistake!

I've looked at it again and think it's unfortunately still wrong with
your patch,
as there is a 'goto free_buf_src' after dma_pool_alloc(), and that now needs
to jump to free_buf_dst instead. We may also need an extra check to make
sure we don't free an uninitialized pointer again.

Can you have a look at this version below and send whatever you find
to be correct in the end?

Signed-off-by: Arnd Bergmann <arnd@...db.de>

diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
index 427cbe012729..08b740dddb20 100644
--- a/drivers/crypto/ixp4xx_crypto.c
+++ b/drivers/crypto/ixp4xx_crypto.c
@@ -1073,7 +1073,7 @@ static int aead_perform(struct aead_request
*req, int encrypt,
                req_ctx->hmac_virt = dma_pool_alloc(buffer_pool, flags,
                                &crypt->icv_rev_aes);
                if (unlikely(!req_ctx->hmac_virt))
-                       goto free_buf_src;
+                       goto free_buf_dst;
                if (!encrypt) {
                        scatterwalk_map_and_copy(req_ctx->hmac_virt,
                                req->src, cryptlen, authsize, 0);
@@ -1088,10 +1088,11 @@ static int aead_perform(struct aead_request
*req, int encrypt,
        BUG_ON(qmgr_stat_overflow(SEND_QID));
        return -EINPROGRESS;

+free_buf_dst:
+       if (crypt->dst)
+               free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
 free_buf_src:
        free_buf_chain(dev, req_ctx->src, crypt->src_buf);
-free_buf_dst:
-       free_buf_chain(dev, req_ctx->dst, crypt->dst_buf);
        crypt->ctl_flags = CTL_FLAG_UNUSED;
        return -ENOMEM;
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ