lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20260109151724.58799-1-alansnape3058@gmail.com>
Date: Fri,  9 Jan 2026 16:17:24 +0100
From: Ella Ma <alansnape3058@...il.com>
To: thomas.lendacky@....com,
	john.allen@....com,
	herbert@...dor.apana.org.au,
	davem@...emloft.net,
	arnd@...db.de
Cc: linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	julia.lawall@...ia.fr,
	Markus.Elfring@....de,
	Ella Ma <alansnape3058@...il.com>,
	Tom Lendacky <thomas.lendacky@...il.com>
Subject: [PATCH v2] crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree

Annotating a local pointer variable, which will be assigned with the
kmalloc-family functions, with the `__cleanup(kfree)` attribute will
make the address of the local variable, rather than the address returned
by kmalloc, passed to kfree directly and lead to a crash due to invalid
deallocation of stack address. According to other places in the repo,
the correct usage should be `__free(kfree)`. The code coincidentally
compiled because the parameter type `void *` of kfree is compatible with
the desired type `struct { ... } **`.

Fixes: a71475582ada ("crypto: ccp - reduce stack usage in ccp_run_aes_gcm_cmd")
Signed-off-by: Ella Ma <alansnape3058@...il.com>
Acked-by: Tom Lendacky <thomas.lendacky@...il.com>
---

Changes in v2:
- Update the subject prefix as suggested by Markus


I don't have the machine to actually test the changed place. So I tried
locally with a simple test module. The crash happens right when the
module is being loaded.

```C
#include <linux/init.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
static int __init custom_init(void) {
  printk(KERN_INFO "Crash reproduce for drivers/crypto/ccp/ccp-ops.c");
  int *p __cleanup(kfree) = kzalloc(sizeof(int), GFP_KERNEL);
  *p = 42;
  return 0;
}
static void __exit custom_exit(void) {}
module_init(custom_init);
module_exit(custom_exit);
```

BESIDES, scripts/checkpatch.pl reports a coding style issue originally
existing in the code, `sizeof *wa`, I fixed this together in this patch.

 drivers/crypto/ccp/ccp-ops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
index d78865d9d5f0..f80a92006666 100644
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -642,7 +642,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		struct ccp_data dst;
 		struct ccp_data aad;
 		struct ccp_op op;
-	} *wa __cleanup(kfree) = kzalloc(sizeof *wa, GFP_KERNEL);
+	} *wa __free(kfree) = kzalloc(sizeof(*wa), GFP_KERNEL);
 	unsigned int dm_offset;
 	unsigned int authsize;
 	unsigned int jobid;
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ