| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251113075104.1396-1-vulab@iscas.ac.cn>
Date: Thu, 13 Nov 2025 15:51:04 +0800
From: Haotian Zhang <vulab@...as.ac.cn>
To: herbert@...dor.apana.org.au,
davem@...emloft.net
Cc: linux-crypto@...r.kernel.org,
linux-kernel@...r.kernel.org,
Haotian Zhang <vulab@...as.ac.cn>
Subject: [PATCH] crypto: sa2ul: Add error handling for DMA metadata retrieval
The SA2UL driver calls dmaengine_desc_get_metadata_ptr() in AES, SHA and
AEAD DMA paths without checking for error pointers. If the metadata
retrieval fails, these functions may dereference an ERR_PTR value,
leading to kernel crashes or undefined behavior.
Add proper IS_ERR() checks after each dmaengine_desc_get_metadata_ptr()
call, log the failure, clean up the DMA state, and complete the crypto
request with an error.
Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver")
Fixes: 2dc53d004745 ("crypto: sa2ul - add sha1/sha256/sha512 support")
Fixes: d2c8ac187fc9 ("crypto: sa2ul - Add AEAD algorithm support")
Signed-off-by: Haotian Zhang <vulab@...as.ac.cn>
---
drivers/crypto/sa2ul.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
index fdc0b2486069..eaec284b5e4b 100644
--- a/drivers/crypto/sa2ul.c
+++ b/drivers/crypto/sa2ul.c
@@ -1051,6 +1051,13 @@ static void sa_aes_dma_in_callback(void *data)
if (req->iv) {
mdptr = (__be32 *)dmaengine_desc_get_metadata_ptr(rxd->tx_in, &pl,
&ml);
+ if (IS_ERR(mdptr)) {
+ dev_err(rxd->ddev, "Failed to get AES RX metadata pointer: %ld\n",
+ PTR_ERR(mdptr));
+ sa_free_sa_rx_data(rxd);
+ skcipher_request_complete(req, PTR_ERR(mdptr));
+ return;
+ }
result = (u32 *)req->iv;
for (i = 0; i < (rxd->enc_iv_size / 4); i++)
@@ -1272,6 +1279,12 @@ static int sa_run(struct sa_req *req)
* crypto algorithm to be used, data sizes, different keys etc.
*/
mdptr = (u32 *)dmaengine_desc_get_metadata_ptr(tx_out, &pl, &ml);
+ if (IS_ERR(mdptr)) {
+ dev_err(pdata->dev, "Failed to get TX metadata pointer: %ld\n",
+ PTR_ERR(mdptr));
+ ret = PTR_ERR(mdptr);
+ goto err_cleanup;
+ }
sa_prepare_tx_desc(mdptr, (sa_ctx->cmdl_size + (SA_PSDATA_CTX_WORDS *
sizeof(u32))), cmdl, sizeof(sa_ctx->epib),
@@ -1367,6 +1380,14 @@ static void sa_sha_dma_in_callback(void *data)
authsize = crypto_ahash_digestsize(tfm);
mdptr = (__be32 *)dmaengine_desc_get_metadata_ptr(rxd->tx_in, &pl, &ml);
+ if (IS_ERR(mdptr)) {
+ dev_err(rxd->ddev, "Failed to get SHA RX metadata pointer: %ld\n",
+ PTR_ERR(mdptr));
+ sa_free_sa_rx_data(rxd);
+ skcipher_request_complete(req, PTR_ERR(mdptr));
+ return;
+ }
+
result = (u32 *)req->result;
for (i = 0; i < (authsize / 4); i++)
@@ -1677,6 +1698,13 @@ static void sa_aead_dma_in_callback(void *data)
authsize = crypto_aead_authsize(tfm);
mdptr = (u32 *)dmaengine_desc_get_metadata_ptr(rxd->tx_in, &pl, &ml);
+ if (IS_ERR(mdptr)) {
+ dev_err(rxd->ddev, "Failed to get AEAD RX metadata pointer: %ld\n",
+ PTR_ERR(mdptr));
+ sa_free_sa_rx_data(rxd);
+ skcipher_request_complete(req, PTR_ERR(mdptr));
+ return;
+ }
for (i = 0; i < (authsize / 4); i++)
mdptr[i + 4] = swab32(mdptr[i + 4]);
--
2.50.1.windows.1
Powered by blists - more mailing lists