[patch 09/16] crypto: authenc - Avoid using clobbered requestpointer

From: Greg KH
Date: Wed Sep 03 2008 - 13:52:20 EST

Next message: Greg KH: "[patch 10/16] cramfs: fix named-pipe handling"
Previous message: Greg KH: "[patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB"
In reply to: Greg KH: "[patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB"
Next in thread: Greg KH: "[patch 10/16] cramfs: fix named-pipe handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.25-stable review patch. If anyone has any objections, please let us know.

------------------
From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

crypto: authenc - Avoid using clobbered request pointer

[ Upstream commit: a697690bece75d4ba424c1318eb25c37d41d5829 ]

Authenc works in two stages for encryption, it first encrypts and
then computes an ICV. The context memory of the request is used
by both operations. The problem is that when an asynchronous
encryption completes, we will compute the ICV and then reread the
context memory of the encryption to get the original request.

It just happens that we have a buffer of 16 bytes in front of the
request pointer, so ICVs of 16 bytes (such as SHA1) do not trigger
the bug. However, any attempt to uses a larger ICV instantly kills
the machine when the first asynchronous encryption is completed.

This patch fixes this by saving the request pointer before we start
the ICV computation.

Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
crypto/authenc.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct
static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
int err)
{
+ struct aead_request *areq = req->data;
+
if (!err) {
- struct aead_request *areq = req->data;
struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
struct ablkcipher_request *abreq = aead_request_ctx(areq);
@@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done(
err = crypto_authenc_genicv(areq, iv, 0);
}

- aead_request_complete(req->data, err);
+ aead_request_complete(areq, err);
}

static int crypto_authenc_encrypt(struct aead_request *req)
@@ -216,14 +217,15 @@ static int crypto_authenc_encrypt(struct
static void crypto_authenc_givencrypt_done(struct crypto_async_request *req,
int err)
{
+ struct aead_request *areq = req->data;
+
if (!err) {
- struct aead_request *areq = req->data;
struct skcipher_givcrypt_request *greq = aead_request_ctx(areq);

err = crypto_authenc_genicv(areq, greq->giv, 0);
}

- aead_request_complete(req->data, err);
+ aead_request_complete(areq, err);
}

static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req)

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 10/16] cramfs: fix named-pipe handling"
Previous message: Greg KH: "[patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB"
In reply to: Greg KH: "[patch 08/16] fbdefio: add set_page_dirty handler to deferred IO FB"
Next in thread: Greg KH: "[patch 10/16] cramfs: fix named-pipe handling"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]