[PATCH 3/4] crypto: ccree: zero all of request ctx before use

From: Gilad Ben-Yossef
Date: Tue Jul 24 2018 - 10:14:01 EST


In certain error path req_ctx->iv was being freed despite
not being allocated because it was not initialized to NULL.
Rather than play whack a mole with the structure various
field, zero it before use.

This fixes a kernel panic that may occur if an invalid
buffer size was requested triggering the bug above.

Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support")
Reported-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
Signed-off-by: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx>
---
drivers/crypto/ccree/cc_cipher.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
index 64740dd..9da0ecc 100644
--- a/drivers/crypto/ccree/cc_cipher.c
+++ b/drivers/crypto/ccree/cc_cipher.c
@@ -767,7 +767,7 @@ static int cc_cipher_encrypt(struct skcipher_request *req)
{
struct cipher_req_ctx *req_ctx = skcipher_request_ctx(req);

- req_ctx->backup_info = NULL;
+ memset(req_ctx, 0, sizeof(*req_ctx));

return cc_cipher_process(req, DRV_CRYPTO_DIRECTION_ENCRYPT);
}
@@ -782,6 +782,8 @@ static int cc_cipher_decrypt(struct skcipher_request *req)
gfp_t flags = cc_gfp_flags(&req->base);
unsigned int len;

+ memset(req_ctx, 0, sizeof(*req_ctx));
+
if (ctx_p->cipher_mode == DRV_CIPHER_CBC) {

/* Allocate and save the last IV sized bytes of the source,
@@ -794,8 +796,6 @@ static int cc_cipher_decrypt(struct skcipher_request *req)
len = req->cryptlen - ivsize;
scatterwalk_map_and_copy(req_ctx->backup_info, req->src, len,
ivsize, 0);
- } else {
- req_ctx->backup_info = NULL;
}

return cc_cipher_process(req, DRV_CRYPTO_DIRECTION_DECRYPT);
--
2.7.4