[PATCH] crypto: ccp - zero the cmd data after use it
From: Liwei Song
Date: Mon Aug 03 2020 - 03:59:48 EST
exist the following assignment in ccp(ignore the force
convert of the struct) by list_del in ccp_dequeue_cmd():
req->__ctx->cmd->entry->next = LIST_POISON1;
after use the req, kzfree(req) can not zero the entry
entry->next = LIST_POISON1 of the ccp_cmd(cmd) struct
when this address available as slub freelist pointer, this will cause
the following "general protection fault" error if some process meet
this LIST_POISON1 value address when request memory:
general protection fault: 0000 1 PREEMPT SMP NOPTI
CPU: 13 PID: 111282 Comm: msgstress03 Not tainted 5.2.45-yocto-standard #1
Hardware name: AMD Corporation Wallaby/Wallaby, BIOS WWB7713N 07/11/2017
RIP: 0010:__kmalloc_node+0x106/0x2f0
RSP: 0018:ffffaa6dd83ffdc8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000033e0cd
RDX: 000000000033e08d RSI: 000000000033e08d RDI: 000000000002c180
RBP: ffffaa6dd83ffe00 R08: 00000000000000d4 R09: ffff966c9dc07180
R10: dead000000000100 R11: 0000000000000000 R12: 0000000000000cc0
R13: 0000000000000100 R14: 00000000ffffffff R15: ffff966c9dc07180
FS: 00007f83bb756600(0000) GS:ffff966c9e340000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f83bb6917e0 CR3: 000000080b794000 CR4: 00000000003406e0
Call Trace:
? kvmalloc_node+0x7b/0x90
kvmalloc_node+0x7b/0x90
newque+0x32/0x1a0
ipcget+0x27a/0x2c0
ksys_msgget+0x51/0x70
__x64_sys_msgget+0x16/0x20
do_syscall_64+0x4d/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f83bb6917e7
Fix it by zero cmd struct after finished use it.
Signed-off-by: Liwei Song <liwei.song@xxxxxxxxxxxxx>
---
drivers/crypto/ccp/ccp-dev.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/ccp/ccp-dev.c b/drivers/crypto/ccp/ccp-dev.c
index edefa669153f..75a6418d541d 100644
--- a/drivers/crypto/ccp/ccp-dev.c
+++ b/drivers/crypto/ccp/ccp-dev.c
@@ -409,6 +409,7 @@ static void ccp_do_cmd_complete(unsigned long data)
cmd->callback(cmd->data, cmd->ret);
complete(&tdata->completion);
+ memset(cmd, 0, sizeof(*cmd));
}
/**
--
2.17.1