Commit e30368f3 authored by Gilad Ben-Yossef's avatar Gilad Ben-Yossef Committed by Herbert Xu

crypto: ccree - zero all of request ctx before use

In certain error path req_ctx->iv was being freed despite
not being allocated because it was not initialized to NULL.
Rather than play whack a mole with the structure various
field, zero it before use.

This fixes a kernel panic that may occur if an invalid
buffer size was requested triggering the bug above.

Fixes: 63ee04c8 ("crypto: ccree - add skcipher support")
Reported-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
parent f5c19df9
......@@ -767,7 +767,7 @@ static int cc_cipher_encrypt(struct skcipher_request *req)
{
struct cipher_req_ctx *req_ctx = skcipher_request_ctx(req);
req_ctx->backup_info = NULL;
memset(req_ctx, 0, sizeof(*req_ctx));
return cc_cipher_process(req, DRV_CRYPTO_DIRECTION_ENCRYPT);
}
......@@ -782,6 +782,8 @@ static int cc_cipher_decrypt(struct skcipher_request *req)
gfp_t flags = cc_gfp_flags(&req->base);
unsigned int len;
memset(req_ctx, 0, sizeof(*req_ctx));
if (ctx_p->cipher_mode == DRV_CIPHER_CBC) {
/* Allocate and save the last IV sized bytes of the source,
......@@ -794,8 +796,6 @@ static int cc_cipher_decrypt(struct skcipher_request *req)
len = req->cryptlen - ivsize;
scatterwalk_map_and_copy(req_ctx->backup_info, req->src, len,
ivsize, 0);
} else {
req_ctx->backup_info = NULL;
}
return cc_cipher_process(req, DRV_CRYPTO_DIRECTION_DECRYPT);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment