| From 9a5880049feeeec57dfa433a159124500261fe28 Mon Sep 17 00:00:00 2001 |
| From: Herbert Xu <herbert@gondor.apana.org.au> |
| Date: Mon, 10 Apr 2017 17:59:07 +0800 |
| Subject: [PATCH] crypto: algif_aead - Fix bogus request dereference in |
| completion function |
| |
| commit e6534aebb26e32fbab14df9c713c65e8507d17e4 upstream. |
| |
| The algif_aead completion function tries to deduce the aead_request |
| from the crypto_async_request argument. This is broken because |
| the API does not guarantee that the same request will be pased to |
| the completion function. Only the value of req->data can be used |
| in the completion function. |
| |
| This patch fixes it by storing a pointer to sk in areq and using |
| that instead of passing in sk through req->data. |
| |
| Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to...") |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c |
| index 10fe7972391c..2f855afbc76d 100644 |
| --- a/crypto/algif_aead.c |
| +++ b/crypto/algif_aead.c |
| @@ -39,6 +39,7 @@ struct aead_async_req { |
| struct aead_async_rsgl first_rsgl; |
| struct list_head list; |
| struct kiocb *iocb; |
| + struct sock *sk; |
| unsigned int tsgls; |
| char iv[]; |
| }; |
| @@ -375,12 +376,10 @@ unlock: |
| |
| static void aead_async_cb(struct crypto_async_request *_req, int err) |
| { |
| - struct sock *sk = _req->data; |
| - struct alg_sock *ask = alg_sk(sk); |
| - struct aead_ctx *ctx = ask->private; |
| - struct crypto_aead *tfm = crypto_aead_reqtfm(&ctx->aead_req); |
| - struct aead_request *req = aead_request_cast(_req); |
| + struct aead_request *req = _req->data; |
| + struct crypto_aead *tfm = crypto_aead_reqtfm(req); |
| struct aead_async_req *areq = GET_ASYM_REQ(req, tfm); |
| + struct sock *sk = areq->sk; |
| struct scatterlist *sg = areq->tsgl; |
| struct aead_async_rsgl *rsgl; |
| struct kiocb *iocb = areq->iocb; |
| @@ -440,11 +439,12 @@ static int aead_recvmsg_async(struct socket *sock, struct msghdr *msg, |
| memset(&areq->first_rsgl, '\0', sizeof(areq->first_rsgl)); |
| INIT_LIST_HEAD(&areq->list); |
| areq->iocb = msg->msg_iocb; |
| + areq->sk = sk; |
| memcpy(areq->iv, ctx->iv, crypto_aead_ivsize(tfm)); |
| aead_request_set_tfm(req, tfm); |
| aead_request_set_ad(req, ctx->aead_assoclen); |
| aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, |
| - aead_async_cb, sk); |
| + aead_async_cb, req); |
| used -= ctx->aead_assoclen + (ctx->enc ? as : 0); |
| |
| /* take over all tx sgls from ctx */ |
| -- |
| 2.12.0 |
| |