| Message ID | 20200526031956.1897-2-longpeng2@huawei.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | crypto: virtio: Fix two crash issue | expand |
> Fix it by sg_next() on calculation of src/dst scatterlist. Wording adjustment: … by calling the function “sg_next” … … > +++ b/drivers/crypto/virtio/virtio_crypto_algs.c > @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, … > src_nents = sg_nents_for_len(req->src, req->cryptlen); > + if (src_nents < 0) { > + pr_err("Invalid number of src SG.\n"); > + return src_nents; > + } > + > dst_nents = sg_nents(req->dst); … I suggest to move the addition of such input parameter validation to a separate update step. Regards, Markus
Hi Markus, On 2020/5/26 15:03, Markus Elfring wrote: >> Fix it by sg_next() on calculation of src/dst scatterlist. > > Wording adjustment: > … by calling the function “sg_next” … > OK, thanks. > > … >> +++ b/drivers/crypto/virtio/virtio_crypto_algs.c >> @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, > … >> src_nents = sg_nents_for_len(req->src, req->cryptlen); >> + if (src_nents < 0) { >> + pr_err("Invalid number of src SG.\n"); >> + return src_nents; >> + } >> + >> dst_nents = sg_nents(req->dst); > … > > I suggest to move the addition of such input parameter validation > to a separate update step. > Um...The 'src_nents' will be used as a loop condition, so validate it here is needed ? ''' /* Source data */ - for (i = 0; i < src_nents; i++) - sgs[num_out++] = &req->src[i]; + for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--) + sgs[num_out++] = sg; ''' > Regards, > Markus >
>> I suggest to move the addition of such input parameter validation >> to a separate update step. >> > Um...The 'src_nents' will be used as a loop condition, > so validate it here is needed ? Would you prefer to add such checking as the first update in another small patch series? Regards, Markus
<20200123101000.GB24255@Red>
References: <20200526031956.1897-2-longpeng2@huawei.com>
<20200123101000.GB24255@Red>
Hi
[This is an automated email]
This commit has been processed because it contains a "Fixes:" tag
fixing commit: dbaf0624ffa5 ("crypto: add virtio-crypto driver").
The bot has tested the following trees: v5.6.14, v5.4.42, v4.19.124, v4.14.181.
v5.6.14: Build OK!
v5.4.42: Failed to apply! Possible dependencies:
eee1d6fca0a0 ("crypto: virtio - switch to skcipher API")
v4.19.124: Failed to apply! Possible dependencies:
eee1d6fca0a0 ("crypto: virtio - switch to skcipher API")
v4.14.181: Failed to apply! Possible dependencies:
500e6807ce93 ("crypto: virtio - implement missing support for output IVs")
67189375bb3a ("crypto: virtio - convert to new crypto engine API")
d0d859bb87ac ("crypto: virtio - Register an algo only if it's supported")
e02b8b43f55a ("crypto: virtio - pr_err() strings should end with newlines")
eee1d6fca0a0 ("crypto: virtio - switch to skcipher API")
NOTE: The patch will not be queued to stable trees until it is upstream.
How should we proceed with this patch?
diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c b/drivers/crypto/virtio/virtio_crypto_algs.c index fd045e64972a..5f8243563009 100644 --- a/drivers/crypto/virtio/virtio_crypto_algs.c +++ b/drivers/crypto/virtio/virtio_crypto_algs.c @@ -350,13 +350,18 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, int err; unsigned long flags; struct scatterlist outhdr, iv_sg, status_sg, **sgs; - int i; u64 dst_len; unsigned int num_out = 0, num_in = 0; int sg_total; uint8_t *iv; + struct scatterlist *sg; src_nents = sg_nents_for_len(req->src, req->cryptlen); + if (src_nents < 0) { + pr_err("Invalid number of src SG.\n"); + return src_nents; + } + dst_nents = sg_nents(req->dst); pr_debug("virtio_crypto: Number of sgs (src_nents: %d, dst_nents: %d)\n", @@ -442,12 +447,12 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req, vc_sym_req->iv = iv; /* Source data */ - for (i = 0; i < src_nents; i++) - sgs[num_out++] = &req->src[i]; + for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--) + sgs[num_out++] = sg; /* Destination data */ - for (i = 0; i < dst_nents; i++) - sgs[num_out + num_in++] = &req->dst[i]; + for (sg = req->dst; sg; sg = sg_next(sg)) + sgs[num_out + num_in++] = sg; /* Status */ sg_init_one(&status_sg, &vc_req->status, sizeof(vc_req->status));
The system will crash when the users insmod crypto/tcrypt.ko with mode=38 ( testing "cts(cbc(aes))" ). Usually the next entry of one sg will be @sg@ + 1, but if this sg element is part of a chained scatterlist, it could jump to the start of a new scatterlist array. Fix it by sg_next() on calculation of src/dst scatterlist. Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver") Reported-by: LABBE Corentin <clabbe@baylibre.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Jason Wang <jasowang@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Markus Elfring <Markus.Elfring@web.de> Cc: virtualization@lists.linux-foundation.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Message-Id: <20200123101000.GB24255@Red> Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> --- drivers/crypto/virtio/virtio_crypto_algs.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)