| Message ID | 20240226215358.555234-1-andrej.skvortzov@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: sun8i-ce - Fix use after free in unprepare. | expand |
On 24-02-27 00:53, Andrey Skvortsov wrote: > sun8i_ce_cipher_unprepare should be called before > crypto_finalize_skcipher_request, because client callbacks may > immediately free memory, that isn't needed anymore. But it will be > used by unprepare after free. Before removing prepare/unprepare > callbacks it was handled by crypto engine in crypto_finalize_request. And potentially rk3288_crypto driver is affected by the similar problem. https://elixir.bootlin.com/linux/v6.8-rc6/source/drivers/crypto/rockchip/rk3288_crypto_ahash.c#L339 > > Usually that results in a pointer dereference problem during a in > crypto selftest. > Unable to handle kernel NULL pointer dereference at > virtual address 0000000000000030 > Mem abort info: > ESR = 0x0000000096000004 > EC = 0x25: DABT (current EL), IL = 32 bits > SET = 0, FnV = 0 > EA = 0, S1PTW = 0 > FSC = 0x04: level 0 translation fault > Data abort info: > ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 > CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 > [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 > Internal error: Oops: 0000000096000004 [#1] SMP > > This problem is detected by KASAN as well. > ================================================================== > BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] > Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 > > Hardware name: Pine64 PinePhone (1.2) (DT) > Call trace: > dump_backtrace+0x9c/0x128 > show_stack+0x20/0x38 > dump_stack_lvl+0x48/0x60 > print_report+0xf8/0x5d8 > kasan_report+0x90/0xd0 > __asan_load8+0x9c/0xc0 > sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] > crypto_pump_work+0x354/0x620 [crypto_engine] > kthread_worker_fn+0x244/0x498 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > Allocated by task 379: > kasan_save_stack+0x3c/0x68 > kasan_set_track+0x2c/0x40 > kasan_save_alloc_info+0x24/0x38 > __kasan_kmalloc+0xd4/0xd8 > __kmalloc+0x74/0x1d0 > alg_test_skcipher+0x90/0x1f0 > alg_test+0x24c/0x830 > cryptomgr_test+0x38/0x60 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > Freed by task 379: > kasan_save_stack+0x3c/0x68 > kasan_set_track+0x2c/0x40 > kasan_save_free_info+0x38/0x60 > __kasan_slab_free+0x100/0x170 > slab_free_freelist_hook+0xd4/0x1e8 > __kmem_cache_free+0x15c/0x290 > kfree+0x74/0x100 > kfree_sensitive+0x80/0xb0 > alg_test_skcipher+0x12c/0x1f0 > alg_test+0x24c/0x830 > cryptomgr_test+0x38/0x60 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > The buggy address belongs to the object at ffff00000dcdc000 > which belongs to the cache kmalloc-256 of size 256 > The buggy address is located 64 bytes inside of > freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100) > > Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> > Fixes: 4136212ab18e ("crypto: sun8i-ce - Remove prepare/unprepare request")
On Tue, Feb 27, 2024 at 01:05:30AM +0300, Andrey Skvortsov wrote: > > And potentially rk3288_crypto driver is affected by the similar > problem. Indeed, and there is one more in sun8i-ce. I'll send out patches for them. Thanks,
On Wed, Feb 28, 2024 at 05:07:19PM +0800, Herbert Xu wrote: > On Tue, Feb 27, 2024 at 01:05:30AM +0300, Andrey Skvortsov wrote: > > > > And potentially rk3288_crypto driver is affected by the similar > > problem. > > Indeed, and there is one more in sun8i-ce. I'll send out patches > for them. Silly me, sunn8i-ce is the one that you've already found :)
On Tue, Feb 27, 2024 at 12:53:57AM +0300, Andrey Skvortsov wrote: > sun8i_ce_cipher_unprepare should be called before > crypto_finalize_skcipher_request, because client callbacks may > immediately free memory, that isn't needed anymore. But it will be > used by unprepare after free. Before removing prepare/unprepare > callbacks it was handled by crypto engine in crypto_finalize_request. > > Usually that results in a pointer dereference problem during a in > crypto selftest. > Unable to handle kernel NULL pointer dereference at > virtual address 0000000000000030 > Mem abort info: > ESR = 0x0000000096000004 > EC = 0x25: DABT (current EL), IL = 32 bits > SET = 0, FnV = 0 > EA = 0, S1PTW = 0 > FSC = 0x04: level 0 translation fault > Data abort info: > ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 > CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 > [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 > Internal error: Oops: 0000000096000004 [#1] SMP > > This problem is detected by KASAN as well. > ================================================================== > BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] > Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 > > Hardware name: Pine64 PinePhone (1.2) (DT) > Call trace: > dump_backtrace+0x9c/0x128 > show_stack+0x20/0x38 > dump_stack_lvl+0x48/0x60 > print_report+0xf8/0x5d8 > kasan_report+0x90/0xd0 > __asan_load8+0x9c/0xc0 > sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] > crypto_pump_work+0x354/0x620 [crypto_engine] > kthread_worker_fn+0x244/0x498 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > Allocated by task 379: > kasan_save_stack+0x3c/0x68 > kasan_set_track+0x2c/0x40 > kasan_save_alloc_info+0x24/0x38 > __kasan_kmalloc+0xd4/0xd8 > __kmalloc+0x74/0x1d0 > alg_test_skcipher+0x90/0x1f0 > alg_test+0x24c/0x830 > cryptomgr_test+0x38/0x60 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > Freed by task 379: > kasan_save_stack+0x3c/0x68 > kasan_set_track+0x2c/0x40 > kasan_save_free_info+0x38/0x60 > __kasan_slab_free+0x100/0x170 > slab_free_freelist_hook+0xd4/0x1e8 > __kmem_cache_free+0x15c/0x290 > kfree+0x74/0x100 > kfree_sensitive+0x80/0xb0 > alg_test_skcipher+0x12c/0x1f0 > alg_test+0x24c/0x830 > cryptomgr_test+0x38/0x60 > kthread+0x168/0x178 > ret_from_fork+0x10/0x20 > > The buggy address belongs to the object at ffff00000dcdc000 > which belongs to the cache kmalloc-256 of size 256 > The buggy address is located 64 bytes inside of > freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100) > > Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> > Fixes: 4136212ab18e ("crypto: sun8i-ce - Remove prepare/unprepare request") > --- > .../allwinner/sun8i-ce/sun8i-ce-cipher.c | 34 +++++++++---------- > 1 file changed, 17 insertions(+), 17 deletions(-) Patch applied. Thanks.
Hi Herbert, On 24-02-28 17:18, Herbert Xu wrote: > On Tue, Feb 27, 2024 at 12:53:57AM +0300, Andrey Skvortsov wrote: > > sun8i_ce_cipher_unprepare should be called before > > crypto_finalize_skcipher_request, because client callbacks may > > immediately free memory, that isn't needed anymore. But it will be > > used by unprepare after free. Before removing prepare/unprepare > > callbacks it was handled by crypto engine in crypto_finalize_request. > > > > Usually that results in a pointer dereference problem during a in > > crypto selftest. > > Unable to handle kernel NULL pointer dereference at > > virtual address 0000000000000030 ... > > > > Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> > > Fixes: 4136212ab18e ("crypto: sun8i-ce - Remove prepare/unprepare request") > > --- > > .../allwinner/sun8i-ce/sun8i-ce-cipher.c | 34 +++++++++---------- > > 1 file changed, 17 insertions(+), 17 deletions(-) > > Patch applied. Thanks. You marked your rockchip fix for backport to stable releases. Cc: <stable@vger.kernel.org> I think it makes sense to do the same for the sun8i-ce fix as well.
On Wed, Feb 28, 2024 at 11:46:12PM +0300, Andrey Skvortsov wrote: > > You marked your rockchip fix for backport to stable releases. > Cc: <stable@vger.kernel.org> > > I think it makes sense to do the same for the sun8i-ce fix as well. I already added the Cc tag. Thanks,
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c index 1262a7773ef3..de50c00ba218 100644 --- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c +++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-cipher.c @@ -299,22 +299,6 @@ static int sun8i_ce_cipher_prepare(struct crypto_engine *engine, void *async_req return err; } -static void sun8i_ce_cipher_run(struct crypto_engine *engine, void *areq) -{ - struct skcipher_request *breq = container_of(areq, struct skcipher_request, base); - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(breq); - struct sun8i_cipher_tfm_ctx *op = crypto_skcipher_ctx(tfm); - struct sun8i_ce_dev *ce = op->ce; - struct sun8i_cipher_req_ctx *rctx = skcipher_request_ctx(breq); - int flow, err; - - flow = rctx->flow; - err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(breq->base.tfm)); - local_bh_disable(); - crypto_finalize_skcipher_request(engine, breq, err); - local_bh_enable(); -} - static void sun8i_ce_cipher_unprepare(struct crypto_engine *engine, void *async_req) { @@ -360,6 +344,23 @@ static void sun8i_ce_cipher_unprepare(struct crypto_engine *engine, dma_unmap_single(ce->dev, rctx->addr_key, op->keylen, DMA_TO_DEVICE); } +static void sun8i_ce_cipher_run(struct crypto_engine *engine, void *areq) +{ + struct skcipher_request *breq = container_of(areq, struct skcipher_request, base); + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(breq); + struct sun8i_cipher_tfm_ctx *op = crypto_skcipher_ctx(tfm); + struct sun8i_ce_dev *ce = op->ce; + struct sun8i_cipher_req_ctx *rctx = skcipher_request_ctx(breq); + int flow, err; + + flow = rctx->flow; + err = sun8i_ce_run_task(ce, flow, crypto_tfm_alg_name(breq->base.tfm)); + sun8i_ce_cipher_unprepare(engine, areq); + local_bh_disable(); + crypto_finalize_skcipher_request(engine, breq, err); + local_bh_enable(); +} + int sun8i_ce_cipher_do_one(struct crypto_engine *engine, void *areq) { int err = sun8i_ce_cipher_prepare(engine, areq); @@ -368,7 +369,6 @@ int sun8i_ce_cipher_do_one(struct crypto_engine *engine, void *areq) return err; sun8i_ce_cipher_run(engine, areq); - sun8i_ce_cipher_unprepare(engine, areq); return 0; }
sun8i_ce_cipher_unprepare should be called before crypto_finalize_skcipher_request, because client callbacks may immediately free memory, that isn't needed anymore. But it will be used by unprepare after free. Before removing prepare/unprepare callbacks it was handled by crypto engine in crypto_finalize_request. Usually that results in a pointer dereference problem during a in crypto selftest. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000030 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000004716d000 [0000000000000030] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] SMP This problem is detected by KASAN as well. ================================================================== BUG: KASAN: slab-use-after-free in sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] Read of size 8 at addr ffff00000dcdc040 by task 1c15000.crypto-/373 Hardware name: Pine64 PinePhone (1.2) (DT) Call trace: dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 print_report+0xf8/0x5d8 kasan_report+0x90/0xd0 __asan_load8+0x9c/0xc0 sun8i_ce_cipher_do_one+0x6e8/0xf80 [sun8i_ce] crypto_pump_work+0x354/0x620 [crypto_engine] kthread_worker_fn+0x244/0x498 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Allocated by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_alloc_info+0x24/0x38 __kasan_kmalloc+0xd4/0xd8 __kmalloc+0x74/0x1d0 alg_test_skcipher+0x90/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 Freed by task 379: kasan_save_stack+0x3c/0x68 kasan_set_track+0x2c/0x40 kasan_save_free_info+0x38/0x60 __kasan_slab_free+0x100/0x170 slab_free_freelist_hook+0xd4/0x1e8 __kmem_cache_free+0x15c/0x290 kfree+0x74/0x100 kfree_sensitive+0x80/0xb0 alg_test_skcipher+0x12c/0x1f0 alg_test+0x24c/0x830 cryptomgr_test+0x38/0x60 kthread+0x168/0x178 ret_from_fork+0x10/0x20 The buggy address belongs to the object at ffff00000dcdc000 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 64 bytes inside of freed 256-byte region [ffff00000dcdc000, ffff00000dcdc100) Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com> Fixes: 4136212ab18e ("crypto: sun8i-ce - Remove prepare/unprepare request") --- .../allwinner/sun8i-ce/sun8i-ce-cipher.c | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-)