[PATCH 3.10 10/11] crypto: caam - fix memory corruption in ahash_final_ctx

From: Greg Kroah-Hartman
Date: Fri Sep 11 2015 - 18:49:42 EST

Next message: Greg Kroah-Hartman: "[PATCH 3.14 09/18] EDAC, ppc4xx: Access mci->csrows array elements properly"
Previous message: Greg Kroah-Hartman: "[PATCH 3.10 11/11] arm64/mm: Remove hack in mmap randomize layout"
In reply to: Greg Kroah-Hartman: "[PATCH 3.10 11/11] arm64/mm: Remove hack in mmap randomize layout"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.10 09/11] libfc: Fix fc_fcp_cleanup_each_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.10-stable review patch. If anyone has any objections, please let me know.

------------------

From: Horia Geant? <horia.geanta@xxxxxxxxxxxxx>

commit b310c178e6d897f82abb9da3af1cd7c02b09f592 upstream.

When doing pointer operation for accessing the HW S/G table,
a value representing number of entries (and not number of bytes)
must be used.

Fixes: 045e36780f115 ("crypto: caam - ahash hmac support")
Signed-off-by: Horia Geant? <horia.geanta@xxxxxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
drivers/crypto/caam/caamhash.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -895,13 +895,14 @@ static int ahash_final_ctx(struct ahash_
state->buflen_1;
u32 *sh_desc = ctx->sh_desc_fin, *desc;
dma_addr_t ptr = ctx->sh_desc_fin_dma;
- int sec4_sg_bytes;
+ int sec4_sg_bytes, sec4_sg_src_index;
int digestsize = crypto_ahash_digestsize(ahash);
struct ahash_edesc *edesc;
int ret = 0;
int sh_len;

- sec4_sg_bytes = (1 + (buflen ? 1 : 0)) * sizeof(struct sec4_sg_entry);
+ sec4_sg_src_index = 1 + (buflen ? 1 : 0);
+ sec4_sg_bytes = sec4_sg_src_index * sizeof(struct sec4_sg_entry);

/* allocate space for base edesc and hw desc commands, link tables */
edesc = kmalloc(sizeof(struct ahash_edesc) + DESC_JOB_IO_LEN +
@@ -928,7 +929,7 @@ static int ahash_final_ctx(struct ahash_
state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1,
buf, state->buf_dma, buflen,
last_buflen);
- (edesc->sec4_sg + sec4_sg_bytes - 1)->len |= SEC4_SG_LEN_FIN;
+ (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN;

append_seq_in_ptr(desc, edesc->sec4_sg_dma, ctx->ctx_len + buflen,
LDST_SGF);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[PATCH 3.14 09/18] EDAC, ppc4xx: Access mci->csrows array elements properly"
Previous message: Greg Kroah-Hartman: "[PATCH 3.10 11/11] arm64/mm: Remove hack in mmap randomize layout"
In reply to: Greg Kroah-Hartman: "[PATCH 3.10 11/11] arm64/mm: Remove hack in mmap randomize layout"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.10 09/11] libfc: Fix fc_fcp_cleanup_each_cmd()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]