xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto: user - fix use_after_free of struct xxx_request

Browse Source 
All crypto_stats functions use the struct xxx_request for feeding stats,
but in some case this structure could already be freed.

For fixing this, the needed parameters (len and alg) will be stored
before the request being executed.
Fixes: cac5818c25 ("crypto: user - Implement a generic crypto statistics")
Reported-by: syzbot <syzbot+6939a606a5305e9e9799@syzkaller.appspotmail.com>

Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This commit is contained in:
Corentin Labbe
2018-11-29 14:42:21 +00:00
committed by Herbert Xu
parent 76d09ea7c2
commit f7d76e05d0
11 changed files with 376 additions and 276 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
include/crypto/aead.h
View File

@@ -306,34 +306,6 @@ static inline struct crypto_aead *crypto_aead_reqtfm(struct aead_request *req)
return __crypto_aead_cast(req->base.tfm);
}
static inline void crypto_stat_aead_encrypt(struct aead_request *req, int ret)
{
#ifdef CONFIG_CRYPTO_STATS
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
if (ret && ret != -EINPROGRESS && ret != -EBUSY) {
atomic64_inc(&tfm->base.__crt_alg->aead_err_cnt);
} else {
atomic64_inc(&tfm->base.__crt_alg->encrypt_cnt);
atomic64_add(req->cryptlen, &tfm->base.__crt_alg->encrypt_tlen);
}
#endif
}
static inline void crypto_stat_aead_decrypt(struct aead_request *req, int ret)
{
#ifdef CONFIG_CRYPTO_STATS
struct crypto_aead *tfm = crypto_aead_reqtfm(req);
if (ret && ret != -EINPROGRESS && ret != -EBUSY) {
atomic64_inc(&tfm->base.__crt_alg->aead_err_cnt);
} else {
atomic64_inc(&tfm->base.__crt_alg->decrypt_cnt);
atomic64_add(req->cryptlen, &tfm->base.__crt_alg->decrypt_tlen);
}
#endif
}
/**
* crypto_aead_encrypt() - encrypt plaintext
* @req: reference to the aead_request handle that holds all information
@@ -356,13 +328,16 @@ static inline void crypto_stat_aead_decrypt(struct aead_request *req, int ret)
static inline int crypto_aead_encrypt(struct aead_request *req)
{
struct crypto_aead *aead = crypto_aead_reqtfm(req);
struct crypto_alg *alg = aead->base.__crt_alg;
unsigned int cryptlen = req->cryptlen;
int ret;
crypto_stats_get(alg);
if (crypto_aead_get_flags(aead) & CRYPTO_TFM_NEED_KEY)
ret = -ENOKEY;
else
ret = crypto_aead_alg(aead)->encrypt(req);
crypto_stat_aead_encrypt(req, ret);
crypto_stats_aead_encrypt(cryptlen, alg, ret);
return ret;
}
@@ -391,15 +366,18 @@ static inline int crypto_aead_encrypt(struct aead_request *req)
static inline int crypto_aead_decrypt(struct aead_request *req)
{
struct crypto_aead *aead = crypto_aead_reqtfm(req);
struct crypto_alg *alg = aead->base.__crt_alg;
unsigned int cryptlen = req->cryptlen;
int ret;
crypto_stats_get(alg);
if (crypto_aead_get_flags(aead) & CRYPTO_TFM_NEED_KEY)
ret = -ENOKEY;
else if (req->cryptlen < crypto_aead_authsize(aead))
ret = -EINVAL;
else
ret = crypto_aead_alg(aead)->decrypt(req);
crypto_stat_aead_decrypt(req, ret);
crypto_stats_aead_decrypt(cryptlen, alg, ret);
return ret;
}