crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

mainline inclusion from mainline-5.15-rc4 commit 505d9dcb bugzilla: 182864 https://gitee.com/openeuler/kernel/issues/I4DDEL CVE: CVE-2021-3744 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=505d9dcb0f7ddf9d075e729523a33d38642ae680 -------------------------------- There are three bugs in this code: 1) If we ccp_init_data() fails for &src then we need to free aad. Use goto e_aad instead of goto e_ctx. 2) The label to free the &final_wa was named incorrectly as "e_tag" but it should have been "e_final_wa". One error path leaked &final_wa. 3) The &tag was leaked on one error path. In that case, I added a free before the goto because the resource was local to that block. Fixes: 36cf515b ("crypto: ccp - Enable support for AES GCM on v5 CCPs") Reported-by: N "minihanshen(沈明航)" <minihanshen@tencent.com> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N John Allen <john.allen@amd.com> Tested-by: N John Allen <john.allen@amd.com> Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
mainline inclusion from mainline-5.15-rc4 commit 505d9dcb bugzilla: 182864 https://gitee.com/openeuler/kernel/issues/I4DDEL CVE: CVE-2021-3744 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=505d9dcb0f7ddf9d075e729523a33d38642ae680 -------------------------------- There are three bugs in this code: 1) If we ccp_init_data() fails for &src then we need to free aad. Use goto e_aad instead of goto e_ctx. 2) The label to free the &final_wa was named incorrectly as "e_tag" but it should have been "e_final_wa". One error path leaked &final_wa. 3) The &tag was leaked on one error path. In that case, I added a free before the goto because the resource was local to that block. Fixes: 36cf515b ("crypto: ccp - Enable support for AES GCM on v5 CCPs") Reported-by: N "minihanshen(沈明航)" <minihanshen@tencent.com> Signed-off-by: N Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: N John Allen <john.allen@amd.com> Tested-by: N John Allen <john.allen@amd.com> Signed-off-by: N Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
8c5d963a · Dan Carpenter · Zheng Zengkai · 090bca0f · 8c5d963a
隐藏空白更改
内联并排

Showing with 8 addition and 6 deletion

drivers/crypto/ccp/ccp-ops.c drivers/crypto/ccp/ccp-ops.c +8 -6

未找到文件。
--- a/drivers/crypto/ccp/ccp-ops.c
+++ b/drivers/crypto/ccp/ccp-ops.c
@@ -778,7 +778,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 				    in_place ? DMA_BIDIRECTIONAL
 					     : DMA_TO_DEVICE);
 		if (ret)
-			goto e_ctx;
+			goto e_aad;

 		if (in_place) {
 			dst = src;
@@ -863,7 +863,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 	op.u.aes.size = 0;
 	ret = cmd_q->ccp->vdata->perform->aes(&op);
 	if (ret)
-		goto e_dst;
+		goto e_final_wa;

 	if (aes->action == CCP_AES_ACTION_ENCRYPT) {
 		/* Put the ciphered tag after the ciphertext. */
@@ -873,17 +873,19 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
 		ret = ccp_init_dm_workarea(&tag, cmd_q, authsize,
 					   DMA_BIDIRECTIONAL);
 		if (ret)
-			goto e_tag;
+			goto e_final_wa;
 		ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize);
-		if (ret)
-			goto e_tag;
+		if (ret) {
+			ccp_dm_free(&tag);
+			goto e_final_wa;
+		}

 		ret = crypto_memneq(tag.address, final_wa.address,
 				    authsize) ? -EBADMSG : 0;
 		ccp_dm_free(&tag);
 	}

-e_tag:
+e_final_wa:
 	ccp_dm_free(&final_wa);

 e_dst: