| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210107131236.GB5105@kadam>
Date: Thu, 7 Jan 2021 16:12:36 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: kbuild@...ts.01.org, Corentin Labbe <clabbe@...libre.com>
Cc: lkp@...el.com, kbuild-all@...ts.01.org,
linux-kernel@...r.kernel.org,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: [kbuild] drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c:443
sun8i_ss_hash_run() warn: possible memory leak of 'result'
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head: e71ba9452f0b5b2e8dc8aa5445198cd9214a6a62
commit: d9b45418a91773b7672e4c60037a28074b495c6d crypto: sun8i-ss - support hash algorithms
config: arc-randconfig-m031-20210106 (attached as .config)
compiler: arc-elf-gcc (GCC) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@...el.com>
Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
smatch warnings:
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c:443 sun8i_ss_hash_run() warn: possible memory leak of 'result'
vim +/result +443 drivers/crypto/allwinner/sun8i-ss/sun8i-ss-hash.c
d9b45418a91773b7 Corentin Labbe 2020-09-18 361
d9b45418a91773b7 Corentin Labbe 2020-09-18 362 rctx->method = ss->variant->alg_hash[algt->ss_algo_id];
d9b45418a91773b7 Corentin Labbe 2020-09-18 363
d9b45418a91773b7 Corentin Labbe 2020-09-18 364 nr_sgs = dma_map_sg(ss->dev, areq->src, sg_nents(areq->src), DMA_TO_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 365 if (nr_sgs <= 0 || nr_sgs > MAX_SG) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 366 dev_err(ss->dev, "Invalid sg number %d\n", nr_sgs);
d9b45418a91773b7 Corentin Labbe 2020-09-18 367 err = -EINVAL;
d9b45418a91773b7 Corentin Labbe 2020-09-18 368 goto theend;
d9b45418a91773b7 Corentin Labbe 2020-09-18 369 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 370
d9b45418a91773b7 Corentin Labbe 2020-09-18 371 addr_res = dma_map_single(ss->dev, result, digestsize, DMA_FROM_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 372 if (dma_mapping_error(ss->dev, addr_res)) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 373 dev_err(ss->dev, "DMA map dest\n");
d9b45418a91773b7 Corentin Labbe 2020-09-18 374 err = -EINVAL;
d9b45418a91773b7 Corentin Labbe 2020-09-18 375 goto theend;
d9b45418a91773b7 Corentin Labbe 2020-09-18 376 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 377
d9b45418a91773b7 Corentin Labbe 2020-09-18 378 len = areq->nbytes;
d9b45418a91773b7 Corentin Labbe 2020-09-18 379 for_each_sg(areq->src, sg, nr_sgs, i) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 380 rctx->t_src[i].addr = sg_dma_address(sg);
d9b45418a91773b7 Corentin Labbe 2020-09-18 381 todo = min(len, sg_dma_len(sg));
d9b45418a91773b7 Corentin Labbe 2020-09-18 382 rctx->t_src[i].len = todo / 4;
d9b45418a91773b7 Corentin Labbe 2020-09-18 383 len -= todo;
d9b45418a91773b7 Corentin Labbe 2020-09-18 384 rctx->t_dst[i].addr = addr_res;
d9b45418a91773b7 Corentin Labbe 2020-09-18 385 rctx->t_dst[i].len = digestsize / 4;
d9b45418a91773b7 Corentin Labbe 2020-09-18 386 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 387 if (len > 0) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 388 dev_err(ss->dev, "remaining len %d\n", len);
d9b45418a91773b7 Corentin Labbe 2020-09-18 389 err = -EINVAL;
d9b45418a91773b7 Corentin Labbe 2020-09-18 390 goto theend;
d9b45418a91773b7 Corentin Labbe 2020-09-18 391 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 392
d9b45418a91773b7 Corentin Labbe 2020-09-18 393 byte_count = areq->nbytes;
d9b45418a91773b7 Corentin Labbe 2020-09-18 394 j = 0;
d9b45418a91773b7 Corentin Labbe 2020-09-18 395 bf[j++] = cpu_to_le32(0x80);
d9b45418a91773b7 Corentin Labbe 2020-09-18 396
d9b45418a91773b7 Corentin Labbe 2020-09-18 397 fill = 64 - (byte_count % 64);
d9b45418a91773b7 Corentin Labbe 2020-09-18 398 min_fill = 3 * sizeof(u32);
d9b45418a91773b7 Corentin Labbe 2020-09-18 399
d9b45418a91773b7 Corentin Labbe 2020-09-18 400 if (fill < min_fill)
d9b45418a91773b7 Corentin Labbe 2020-09-18 401 fill += 64;
d9b45418a91773b7 Corentin Labbe 2020-09-18 402
d9b45418a91773b7 Corentin Labbe 2020-09-18 403 j += (fill - min_fill) / sizeof(u32);
d9b45418a91773b7 Corentin Labbe 2020-09-18 404
d9b45418a91773b7 Corentin Labbe 2020-09-18 405 switch (algt->ss_algo_id) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 406 case SS_ID_HASH_MD5:
d9b45418a91773b7 Corentin Labbe 2020-09-18 407 lebits = (__le64 *)&bf[j];
d9b45418a91773b7 Corentin Labbe 2020-09-18 408 *lebits = cpu_to_le64(byte_count << 3);
d9b45418a91773b7 Corentin Labbe 2020-09-18 409 j += 2;
d9b45418a91773b7 Corentin Labbe 2020-09-18 410 break;
d9b45418a91773b7 Corentin Labbe 2020-09-18 411 case SS_ID_HASH_SHA1:
d9b45418a91773b7 Corentin Labbe 2020-09-18 412 case SS_ID_HASH_SHA224:
d9b45418a91773b7 Corentin Labbe 2020-09-18 413 case SS_ID_HASH_SHA256:
d9b45418a91773b7 Corentin Labbe 2020-09-18 414 bebits = (__be64 *)&bf[j];
d9b45418a91773b7 Corentin Labbe 2020-09-18 415 *bebits = cpu_to_be64(byte_count << 3);
d9b45418a91773b7 Corentin Labbe 2020-09-18 416 j += 2;
d9b45418a91773b7 Corentin Labbe 2020-09-18 417 break;
d9b45418a91773b7 Corentin Labbe 2020-09-18 418 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 419
d9b45418a91773b7 Corentin Labbe 2020-09-18 420 addr_pad = dma_map_single(ss->dev, pad, j * 4, DMA_TO_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 421 rctx->t_src[i].addr = addr_pad;
d9b45418a91773b7 Corentin Labbe 2020-09-18 422 rctx->t_src[i].len = j;
d9b45418a91773b7 Corentin Labbe 2020-09-18 423 rctx->t_dst[i].addr = addr_res;
d9b45418a91773b7 Corentin Labbe 2020-09-18 424 rctx->t_dst[i].len = digestsize / 4;
d9b45418a91773b7 Corentin Labbe 2020-09-18 425 if (dma_mapping_error(ss->dev, addr_pad)) {
d9b45418a91773b7 Corentin Labbe 2020-09-18 426 dev_err(ss->dev, "DMA error on padding SG\n");
d9b45418a91773b7 Corentin Labbe 2020-09-18 427 err = -EINVAL;
d9b45418a91773b7 Corentin Labbe 2020-09-18 428 goto theend;
^^^^^^^^^^^^
result not freed on this path.
d9b45418a91773b7 Corentin Labbe 2020-09-18 429 }
d9b45418a91773b7 Corentin Labbe 2020-09-18 430
d9b45418a91773b7 Corentin Labbe 2020-09-18 431 err = sun8i_ss_run_hash_task(ss, rctx, crypto_tfm_alg_name(areq->base.tfm));
d9b45418a91773b7 Corentin Labbe 2020-09-18 432
d9b45418a91773b7 Corentin Labbe 2020-09-18 433 dma_unmap_single(ss->dev, addr_pad, j * 4, DMA_TO_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 434 dma_unmap_sg(ss->dev, areq->src, nr_sgs, DMA_TO_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 435 dma_unmap_single(ss->dev, addr_res, digestsize, DMA_FROM_DEVICE);
d9b45418a91773b7 Corentin Labbe 2020-09-18 436
d9b45418a91773b7 Corentin Labbe 2020-09-18 437 kfree(pad);
d9b45418a91773b7 Corentin Labbe 2020-09-18 438
d9b45418a91773b7 Corentin Labbe 2020-09-18 439 memcpy(areq->result, result, algt->alg.hash.halg.digestsize);
d9b45418a91773b7 Corentin Labbe 2020-09-18 440 kfree(result);
d9b45418a91773b7 Corentin Labbe 2020-09-18 441 theend:
d9b45418a91773b7 Corentin Labbe 2020-09-18 442 crypto_finalize_hash_request(engine, breq, err);
d9b45418a91773b7 Corentin Labbe 2020-09-18 @443 return 0;
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Download attachment ".config.gz" of type "application/gzip" (42074 bytes)
_______________________________________________
kbuild mailing list -- kbuild@...ts.01.org
To unsubscribe send an email to kbuild-leave@...ts.01.org
Powered by blists - more mailing lists