diff mbox series

crypto: mxs-dcp: Ensure payload is zero when using key slot

Message ID 20240703124958.45898-1-david@sigma-star.at (mailing list archive)
State New
Headers show
Series crypto: mxs-dcp: Ensure payload is zero when using key slot | expand

Commit Message

David Gstir July 3, 2024, 12:49 p.m. UTC
We could leak stack memory through the payload field when running
AES with a key from one of the hardware's key slots. Fix this by
ensuring the payload field is set to 0 in such cases.

This does not affect the common use case when the key is supplied
from main memory via the descriptor payload.

Signed-off-by: David Gstir <david@sigma-star.at>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202405270146.Y9tPoil8-lkp@intel.com/
Fixes: 3d16af0b4cfa ("crypto: mxs-dcp: Add support for hardware-bound keys")
---
 drivers/crypto/mxs-dcp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Jarkko Sakkinen July 3, 2024, 5:21 p.m. UTC | #1
On Wed Jul 3, 2024 at 3:49 PM EEST, David Gstir wrote:
> We could leak stack memory through the payload field when running
> AES with a key from one of the hardware's key slots. Fix this by
> ensuring the payload field is set to 0 in such cases.
>
> This does not affect the common use case when the key is supplied
> from main memory via the descriptor payload.
>
> Signed-off-by: David Gstir <david@sigma-star.at>
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/r/202405270146.Y9tPoil8-lkp@intel.com/
> Fixes: 3d16af0b4cfa ("crypto: mxs-dcp: Add support for hardware-bound keys")
> ---
>  drivers/crypto/mxs-dcp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
> index 057d73c370b7..c82775dbb557 100644
> --- a/drivers/crypto/mxs-dcp.c
> +++ b/drivers/crypto/mxs-dcp.c
> @@ -225,7 +225,8 @@ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
>  static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
>  			   struct skcipher_request *req, int init)
>  {
> -	dma_addr_t key_phys, src_phys, dst_phys;
> +	dma_addr_t key_phys = 0;
> +	dma_addr_t src_phys, dst_phys;
>  	struct dcp *sdcp = global_sdcp;
>  	struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
>  	struct dcp_aes_req_ctx *rctx = skcipher_request_ctx(req);

I'm on holiday up until week 31 so might be that review will take
up to then.

BR, Jarkko
Herbert Xu July 12, 2024, 11:55 p.m. UTC | #2
On Wed, Jul 03, 2024 at 02:49:58PM +0200, David Gstir wrote:
> We could leak stack memory through the payload field when running
> AES with a key from one of the hardware's key slots. Fix this by
> ensuring the payload field is set to 0 in such cases.
> 
> This does not affect the common use case when the key is supplied
> from main memory via the descriptor payload.
> 
> Signed-off-by: David Gstir <david@sigma-star.at>
> Reported-by: kernel test robot <lkp@intel.com>
> Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> Closes: https://lore.kernel.org/r/202405270146.Y9tPoil8-lkp@intel.com/
> Fixes: 3d16af0b4cfa ("crypto: mxs-dcp: Add support for hardware-bound keys")
> ---
>  drivers/crypto/mxs-dcp.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Patch applied.  Thanks.
diff mbox series

Patch

diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c
index 057d73c370b7..c82775dbb557 100644
--- a/drivers/crypto/mxs-dcp.c
+++ b/drivers/crypto/mxs-dcp.c
@@ -225,7 +225,8 @@  static int mxs_dcp_start_dma(struct dcp_async_ctx *actx)
 static int mxs_dcp_run_aes(struct dcp_async_ctx *actx,
 			   struct skcipher_request *req, int init)
 {
-	dma_addr_t key_phys, src_phys, dst_phys;
+	dma_addr_t key_phys = 0;
+	dma_addr_t src_phys, dst_phys;
 	struct dcp *sdcp = global_sdcp;
 	struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan];
 	struct dcp_aes_req_ctx *rctx = skcipher_request_ctx(req);