lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 3 Aug 2020 15:58:58 +0800
From:   Liwei Song <liwei.song@...driver.com>
To:     Tom Lendacky <thomas.lendacky@....com>,
        Gary Hook <gary.hook@....com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        David <davem@...emloft.net>, <linux-crypto@...r.kernel.org>
CC:     <linux-kernel@...r.kernel.org>, <liwei.song@...driver.com>
Subject: [PATCH] crypto: ccp - zero the cmd data after use it

exist the following assignment in ccp(ignore the force
convert of the struct) by list_del in ccp_dequeue_cmd():
req->__ctx->cmd->entry->next = LIST_POISON1;

after use the req, kzfree(req) can not zero the entry
entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct
when this address available as slub freelist pointer, this will cause
the following "general protection fault" error if some process meet
this LIST_POISON1 value address when request memory:

general protection fault: 0000 1 PREEMPT SMP NOPTI
CPU: 13 PID: 111282 Comm: msgstress03 Not tainted 5.2.45-yocto-standard #1
Hardware name: AMD Corporation Wallaby/Wallaby, BIOS WWB7713N 07/11/2017
RIP: 0010:__kmalloc_node+0x106/0x2f0
RSP: 0018:ffffaa6dd83ffdc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000033e0cd
RDX: 000000000033e08d RSI: 000000000033e08d RDI: 000000000002c180
RBP: ffffaa6dd83ffe00 R08: 00000000000000d4 R09: ffff966c9dc07180
R10: dead000000000100 R11: 0000000000000000 R12: 0000000000000cc0
R13: 0000000000000100 R14: 00000000ffffffff R15: ffff966c9dc07180
FS: 00007f83bb756600(0000) GS:ffff966c9e340000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f83bb6917e0 CR3: 000000080b794000 CR4: 00000000003406e0
Call Trace:
? kvmalloc_node+0x7b/0x90
kvmalloc_node+0x7b/0x90
newque+0x32/0x1a0
ipcget+0x27a/0x2c0
ksys_msgget+0x51/0x70
__x64_sys_msgget+0x16/0x20
do_syscall_64+0x4d/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f83bb6917e7

Fix it by zero cmd struct after finished use it.

Signed-off-by: Liwei Song <liwei.song@...driver.com>
---
 drivers/crypto/ccp/ccp-dev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/ccp/ccp-dev.c b/drivers/crypto/ccp/ccp-dev.c
index edefa669153f..75a6418d541d 100644
--- a/drivers/crypto/ccp/ccp-dev.c
+++ b/drivers/crypto/ccp/ccp-dev.c
@@ -409,6 +409,7 @@ static void ccp_do_cmd_complete(unsigned long data)
 	cmd->callback(cmd->data, cmd->ret);
 
 	complete(&tdata->completion);
+	memset(cmd, 0, sizeof(*cmd));
 }
 
 /**
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ