diff mbox series

[4.19,012/168] crypto: ccree - fix resource leak on error path

Message ID 20200817143734.336080170@linuxfoundation.org
State Superseded
Headers show
Series None | expand

Commit Message

Greg Kroah-Hartman Aug. 17, 2020, 3:15 p.m. UTC
From: Gilad Ben-Yossef <gilad@benyossef.com>


[ Upstream commit 9bc6165d608d676f05d8bf156a2c9923ee38d05b ]

Fix a small resource leak on the error path of cipher processing.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>

Fixes: 63ee04c8b491e ("crypto: ccree - add skcipher support")
Cc: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: Sasha Levin <sashal@kernel.org>

---
 drivers/crypto/ccree/cc_cipher.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

-- 
2.25.1

Comments

Pavel Machek Aug. 18, 2020, 9:22 a.m. UTC | #1
Hi!

> Fix a small resource leak on the error path of cipher processing.


I believe this one is wrong.

> @@ -149,10 +148,19 @@ static int cc_cipher_init(struct crypto_tfm *tfm)

>  	ctx_p->flow_mode = cc_alg->flow_mode;

>  	ctx_p->drvdata = cc_alg->drvdata;

>  

> +	if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {

> +		/* Alloc hash tfm for essiv */

> +		ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);

> +		if (IS_ERR(ctx_p->shash_tfm)) {

> +			dev_err(dev, "Error allocating hash tfm for ESSIV.\n");

> +			return PTR_ERR(ctx_p->shash_tfm);

> +		}

> +	}


shash_tfm() is only allocated conditionally.

> +free_key:

> +	kfree(ctx_p->user.key);

> +free_shash:

> +	crypto_free_shash(ctx_p->shash_tfm);


But it is freed unconditionally, and free_shash() is not robust
against NULL pointer due to undefined behaviour in crypto_shash_tfm.

Additionally, it would be cleaner to set ctx_p->shash_tfm to NULL in
this path.

Best regards,
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Herbert Xu Aug. 21, 2020, 8:05 a.m. UTC | #2
On Tue, Aug 18, 2020 at 11:22:31AM +0200, Pavel Machek wrote:
>

> But it is freed unconditionally, and free_shash() is not robust

> against NULL pointer due to undefined behaviour in crypto_shash_tfm.


crypto_free_shash calls crypto_destroy_tfm with both the original
pointer as well as the crypto_shash_tfm pointer so it does the
right thing for NULL pointers.  Please check again.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
diff mbox series

Patch

diff --git a/drivers/crypto/ccree/cc_cipher.c b/drivers/crypto/ccree/cc_cipher.c
index 28a5b8b38fa2f..1bcb6f0157b07 100644
--- a/drivers/crypto/ccree/cc_cipher.c
+++ b/drivers/crypto/ccree/cc_cipher.c
@@ -137,7 +137,6 @@  static int cc_cipher_init(struct crypto_tfm *tfm)
 				     skcipher_alg.base);
 	struct device *dev = drvdata_to_dev(cc_alg->drvdata);
 	unsigned int max_key_buf_size = cc_alg->skcipher_alg.max_keysize;
-	int rc = 0;
 
 	dev_dbg(dev, "Initializing context @%p for %s\n", ctx_p,
 		crypto_tfm_alg_name(tfm));
@@ -149,10 +148,19 @@  static int cc_cipher_init(struct crypto_tfm *tfm)
 	ctx_p->flow_mode = cc_alg->flow_mode;
 	ctx_p->drvdata = cc_alg->drvdata;
 
+	if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {
+		/* Alloc hash tfm for essiv */
+		ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);
+		if (IS_ERR(ctx_p->shash_tfm)) {
+			dev_err(dev, "Error allocating hash tfm for ESSIV.\n");
+			return PTR_ERR(ctx_p->shash_tfm);
+		}
+	}
+
 	/* Allocate key buffer, cache line aligned */
 	ctx_p->user.key = kmalloc(max_key_buf_size, GFP_KERNEL);
 	if (!ctx_p->user.key)
-		return -ENOMEM;
+		goto free_shash;
 
 	dev_dbg(dev, "Allocated key buffer in context. key=@%p\n",
 		ctx_p->user.key);
@@ -164,21 +172,19 @@  static int cc_cipher_init(struct crypto_tfm *tfm)
 	if (dma_mapping_error(dev, ctx_p->user.key_dma_addr)) {
 		dev_err(dev, "Mapping Key %u B at va=%pK for DMA failed\n",
 			max_key_buf_size, ctx_p->user.key);
-		return -ENOMEM;
+		goto free_key;
 	}
 	dev_dbg(dev, "Mapped key %u B at va=%pK to dma=%pad\n",
 		max_key_buf_size, ctx_p->user.key, &ctx_p->user.key_dma_addr);
 
-	if (ctx_p->cipher_mode == DRV_CIPHER_ESSIV) {
-		/* Alloc hash tfm for essiv */
-		ctx_p->shash_tfm = crypto_alloc_shash("sha256-generic", 0, 0);
-		if (IS_ERR(ctx_p->shash_tfm)) {
-			dev_err(dev, "Error allocating hash tfm for ESSIV.\n");
-			return PTR_ERR(ctx_p->shash_tfm);
-		}
-	}
+	return 0;
 
-	return rc;
+free_key:
+	kfree(ctx_p->user.key);
+free_shash:
+	crypto_free_shash(ctx_p->shash_tfm);
+
+	return -ENOMEM;
 }
 
 static void cc_cipher_exit(struct crypto_tfm *tfm)