1 |
From d76c68109f37cb85b243a1cf0f40313afd2bae68 Mon Sep 17 00:00:00 2001 |
2 |
From: Eric Biggers <ebiggers@google.com> |
3 |
Date: Wed, 20 Dec 2017 14:28:25 -0800 |
4 |
Subject: crypto: pcrypt - fix freeing pcrypt instances |
5 |
|
6 |
From: Eric Biggers <ebiggers@google.com> |
7 |
|
8 |
commit d76c68109f37cb85b243a1cf0f40313afd2bae68 upstream. |
9 |
|
10 |
pcrypt is using the old way of freeing instances, where the ->free() |
11 |
method specified in the 'struct crypto_template' is passed a pointer to |
12 |
the 'struct crypto_instance'. But the crypto_instance is being |
13 |
kfree()'d directly, which is incorrect because the memory was actually |
14 |
allocated as an aead_instance, which contains the crypto_instance at a |
15 |
nonzero offset. Thus, the wrong pointer was being kfree()'d. |
16 |
|
17 |
Fix it by switching to the new way to free aead_instance's where the |
18 |
->free() method is specified in the aead_instance itself. |
19 |
|
20 |
Reported-by: syzbot <syzkaller@googlegroups.com> |
21 |
Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface") |
22 |
Signed-off-by: Eric Biggers <ebiggers@google.com> |
23 |
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
24 |
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
25 |
|
26 |
--- |
27 |
crypto/pcrypt.c | 19 ++++++++++--------- |
28 |
1 file changed, 10 insertions(+), 9 deletions(-) |
29 |
|
30 |
--- a/crypto/pcrypt.c |
31 |
+++ b/crypto/pcrypt.c |
32 |
@@ -254,6 +254,14 @@ static void pcrypt_aead_exit_tfm(struct |
33 |
crypto_free_aead(ctx->child); |
34 |
} |
35 |
|
36 |
+static void pcrypt_free(struct aead_instance *inst) |
37 |
+{ |
38 |
+ struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst); |
39 |
+ |
40 |
+ crypto_drop_aead(&ctx->spawn); |
41 |
+ kfree(inst); |
42 |
+} |
43 |
+ |
44 |
static int pcrypt_init_instance(struct crypto_instance *inst, |
45 |
struct crypto_alg *alg) |
46 |
{ |
47 |
@@ -319,6 +327,8 @@ static int pcrypt_create_aead(struct cry |
48 |
inst->alg.encrypt = pcrypt_aead_encrypt; |
49 |
inst->alg.decrypt = pcrypt_aead_decrypt; |
50 |
|
51 |
+ inst->free = pcrypt_free; |
52 |
+ |
53 |
err = aead_register_instance(tmpl, inst); |
54 |
if (err) |
55 |
goto out_drop_aead; |
56 |
@@ -349,14 +359,6 @@ static int pcrypt_create(struct crypto_t |
57 |
return -EINVAL; |
58 |
} |
59 |
|
60 |
-static void pcrypt_free(struct crypto_instance *inst) |
61 |
-{ |
62 |
- struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst); |
63 |
- |
64 |
- crypto_drop_aead(&ctx->spawn); |
65 |
- kfree(inst); |
66 |
-} |
67 |
- |
68 |
static int pcrypt_cpumask_change_notify(struct notifier_block *self, |
69 |
unsigned long val, void *data) |
70 |
{ |
71 |
@@ -469,7 +471,6 @@ static void pcrypt_fini_padata(struct pa |
72 |
static struct crypto_template pcrypt_tmpl = { |
73 |
.name = "pcrypt", |
74 |
.create = pcrypt_create, |
75 |
- .free = pcrypt_free, |
76 |
.module = THIS_MODULE, |
77 |
}; |
78 |
|