• Iuliana Prodan's avatar
    crypto: caam - fix use-after-free KASAN issue for AEAD algorithms · 5ed1e8b8
    Iuliana Prodan authored
    Here's the KASAN report:
    BUG: KASAN: use-after-free in aead_crypt_done+0x60/0xd8
    Read of size 1 at addr ffff00002303f014 by task swapper/0/0
    
    CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d51 #58
    Hardware name: LS1046A RDB Board (DT)
    Call trace:
     dump_backtrace+0x0/0x260
     show_stack+0x14/0x20
     dump_stack+0xe8/0x144
     print_address_description.isra.11+0x64/0x348
     __kasan_report+0x11c/0x230
     kasan_report+0xc/0x18
     __asan_load1+0x5c/0x68
     aead_crypt_done+0x60/0xd8
     caam_jr_dequeue+0x390/0x608
     tasklet_action_common.isra.13+0x1ec/0x230
     tasklet_action+0x24/0x30
     efi_header_end+0x1a4/0x370
     irq_exit+0x114/0x128
     __handle_domain_irq+0x80/0xe0
     gic_handle_irq+0x50/0xa0
     el1_irq+0xb8/0x180
     _raw_spin_unlock_irq+0x2c/0x78
     finish_task_switch+0xa4/0x2f8
     __schedule+0x3a4/0x890
     schedule_idle+0x28/0x50
     do_idle+0x22c/0x338
     cpu_startup_entry+0x24/0x40
     rest_init+0xf8/0x10c
     arch_call_rest_init+0xc/0x14
     start_kernel+0x774/0x7b4
    
    Allocated by task 263:
     save_stack+0x24/0xb0
     __kasan_kmalloc.isra.10+0xc4/0xe0
     kasan_kmalloc+0xc/0x18
     __kmalloc+0x178/0x2b8
     aead_edesc_alloc+0x1b4/0xbf0
     ipsec_gcm_encrypt+0xd4/0x140
     crypto_aead_encrypt+0x50/0x68
     test_aead_vec_cfg+0x498/0xec0
     test_aead_vec+0x110/0x200
     alg_test_aead+0xfc/0x680
     alg_test.part.44+0x114/0x4a0
     alg_test+0x1c/0x60
     cryptomgr_test+0x34/0x58
     kthread+0x1b8/0x1c0
     ret_from_fork+0x10/0x18
    
    Freed by task 0:
     save_stack+0x24/0xb0
     __kasan_slab_free+0x10c/0x188
     kasan_slab_free+0x10/0x18
     kfree+0x7c/0x298
     aead_crypt_done+0x58/0xd8
     caam_jr_dequeue+0x390/0x608
     tasklet_action_common.isra.13+0x1ec/0x230
     tasklet_action+0x24/0x30
     efi_header_end+0x1a4/0x370
    
    The buggy address belongs to the object at ffff00002303f000
     which belongs to the cache dma-kmalloc-128 of size 128
    The buggy address is located 20 bytes inside of
     128-byte region [ffff00002303f000, ffff00002303f080)
    The buggy address belongs to the page:
    page:fffffe00006c0fc0 refcount:1 mapcount:0 mapping:ffff00093200c000 index:0x0
    flags: 0xffff00000000200(slab)
    raw: 0ffff00000000200 dead000000000100 dead000000000122 ffff00093200c000
    raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff00002303ef00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffff00002303ef80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    >ffff00002303f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                             ^
     ffff00002303f080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff00002303f100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    Fixes: 1c240226 ("crypto: caam - add crypto_engine support for AEAD algorithms")
    Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    5ed1e8b8
caamalg.c 94.6 KB