• Iuliana Prodan's avatar
    crypto: caam - fix the address of the last entry of S/G · 55b3209a
    Iuliana Prodan authored
    For skcipher algorithms, the input, output HW S/G tables
    look like this: [IV, src][dst, IV]
    Now, we can have 2 conditions here:
    - there is no IV;
    - src and dst are equal (in-place encryption) and scattered
    and the error is an "off-by-one" in the HW S/G table.
    
    This issue was seen with KASAN:
    BUG: KASAN: slab-out-of-bounds in skcipher_edesc_alloc+0x95c/0x1018
    
    Read of size 4 at addr ffff000022a02958 by task cryptomgr_test/321
    
    CPU: 2 PID: 321 Comm: cryptomgr_test Not tainted
    5.6.0-rc1-00165-ge4ef8383-dirty #4
    Hardware name: LS1046A RDB Board (DT)
    Call trace:
     dump_backtrace+0x0/0x260
     show_stack+0x14/0x20
     dump_stack+0xe8/0x144
     print_address_description.isra.11+0x64/0x348
     __kasan_report+0x11c/0x230
     kasan_report+0xc/0x18
     __asan_load4+0x90/0xb0
     skcipher_edesc_alloc+0x95c/0x1018
     skcipher_encrypt+0x84/0x150
     crypto_skcipher_encrypt+0x50/0x68
     test_skcipher_vec_cfg+0x4d4/0xc10
     test_skcipher_vec+0x178/0x1d8
     alg_test_skcipher+0xec/0x230
     alg_test.part.44+0x114/0x4a0
     alg_test+0x1c/0x60
     cryptomgr_test+0x34/0x58
     kthread+0x1b8/0x1c0
     ret_from_fork+0x10/0x18
    
    Allocated by task 321:
     save_stack+0x24/0xb0
     __kasan_kmalloc.isra.10+0xc4/0xe0
     kasan_kmalloc+0xc/0x18
     __kmalloc+0x178/0x2b8
     skcipher_edesc_alloc+0x21c/0x1018
     skcipher_encrypt+0x84/0x150
     crypto_skcipher_encrypt+0x50/0x68
     test_skcipher_vec_cfg+0x4d4/0xc10
     test_skcipher_vec+0x178/0x1d8
     alg_test_skcipher+0xec/0x230
     alg_test.part.44+0x114/0x4a0
     alg_test+0x1c/0x60
     cryptomgr_test+0x34/0x58
     kthread+0x1b8/0x1c0
     ret_from_fork+0x10/0x18
    
    Freed by task 0:
    (stack is not available)
    
    The buggy address belongs to the object at ffff000022a02800
     which belongs to the cache dma-kmalloc-512 of size 512
    The buggy address is located 344 bytes inside of
     512-byte region [ffff000022a02800, ffff000022a02a00)
    The buggy address belongs to the page:
    page:fffffe00006a8000 refcount:1 mapcount:0 mapping:ffff00093200c400
    index:0x0 compound_mapcount: 0
    flags: 0xffff00000010200(slab|head)
    raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400
    raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff000022a02800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff000022a02880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff000022a02900: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
                                                        ^
     ffff000022a02980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff000022a02a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    Fixes: 334d37c9 ("crypto: caam - update IV using HW support")
    Cc: <stable@vger.kernel.org> # v5.3+
    Signed-off-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
    Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    55b3209a
caamalg.c 94.6 KB