ACK: [SRU Bionic/Focal/Hirsute/Impish/OEM-5.10/HWE-5.8] crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

Kleber Souza kleber.souza at canonical.com
Fri Oct 22 12:58:01 UTC 2021


On 15.10.21 19:34, Thadeu Lima de Souza Cascardo wrote:
> From: Dan Carpenter <dan.carpenter at oracle.com>
> 
> There are three bugs in this code:
> 
> 1) If we ccp_init_data() fails for &src then we need to free aad.
>     Use goto e_aad instead of goto e_ctx.
> 2) The label to free the &final_wa was named incorrectly as "e_tag" but
>     it should have been "e_final_wa".  One error path leaked &final_wa.
> 3) The &tag was leaked on one error path.  In that case, I added a free
>     before the goto because the resource was local to that block.
> 
> Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
> Reported-by: "minihanshen(沈明航)" <minihanshen at tencent.com>
> Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
> Reviewed-by: John Allen <john.allen at amd.com>
> Tested-by: John Allen <john.allen at amd.com>
> Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
> (cherry picked from commit 505d9dcb0f7ddf9d075e729523a33d38642ae680)
> CVE-2021-3764
> CVE-2021-3744
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

Thanks

> ---
>   drivers/crypto/ccp/ccp-ops.c | 14 ++++++++------
>   1 file changed, 8 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
> index bb88198c874e..aa4e1a500691 100644
> --- a/drivers/crypto/ccp/ccp-ops.c
> +++ b/drivers/crypto/ccp/ccp-ops.c
> @@ -778,7 +778,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>   				    in_place ? DMA_BIDIRECTIONAL
>   					     : DMA_TO_DEVICE);
>   		if (ret)
> -			goto e_ctx;
> +			goto e_aad;
>   
>   		if (in_place) {
>   			dst = src;
> @@ -863,7 +863,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>   	op.u.aes.size = 0;
>   	ret = cmd_q->ccp->vdata->perform->aes(&op);
>   	if (ret)
> -		goto e_dst;
> +		goto e_final_wa;
>   
>   	if (aes->action == CCP_AES_ACTION_ENCRYPT) {
>   		/* Put the ciphered tag after the ciphertext. */
> @@ -873,17 +873,19 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
>   		ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
>   					   DMA_BIDIRECTIONAL);
>   		if (ret)
> -			goto e_tag;
> +			goto e_final_wa;
>   		ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
> -		if (ret)
> -			goto e_tag;
> +		if (ret) {
> +			ccp_dm_free(&tag);
> +			goto e_final_wa;
> +		}
>   
>   		ret = crypto_memneq(tag.address, final_wa.address,
>   				    authsize) ? -EBADMSG : 0;
>   		ccp_dm_free(&tag);
>   	}
>   
> -e_tag:
> +e_final_wa:
>   	ccp_dm_free(&final_wa);
>   
>   e_dst:
> 




More information about the kernel-team mailing list