From 3fb629fbcbad92e4cbe765a6871a80a32721a6eb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Oct 2021 13:32:11 +0200 Subject: [PATCH] 4.14-stable patches added patches: crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch --- ...esource-leaks-in-ccp_run_aes_gcm_cmd.patch | 76 +++++++++++++++++++ queue-4.14/series | 1 + 2 files changed, 77 insertions(+) create mode 100644 queue-4.14/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch diff --git a/queue-4.14/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch b/queue-4.14/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch new file mode 100644 index 00000000000..b4db4290d3f --- /dev/null +++ b/queue-4.14/crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch @@ -0,0 +1,76 @@ +From 505d9dcb0f7ddf9d075e729523a33d38642ae680 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 26 Aug 2021 16:04:27 +0300 +Subject: crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit 505d9dcb0f7ddf9d075e729523a33d38642ae680 upstream. + +There are three bugs in this code: + +1) If we ccp_init_data() fails for &src then we need to free aad. + Use goto e_aad instead of goto e_ctx. +2) The label to free the &final_wa was named incorrectly as "e_tag" but + it should have been "e_final_wa". One error path leaked &final_wa. +3) The &tag was leaked on one error path. In that case, I added a free + before the goto because the resource was local to that block. + +Fixes: 36cf515b9bbe ("crypto: ccp - Enable support for AES GCM on v5 CCPs") +Reported-by: "minihanshen(沈明航)" +Signed-off-by: Dan Carpenter +Reviewed-by: John Allen +Tested-by: John Allen +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/ccp-ops.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -783,7 +783,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue + in_place ? DMA_BIDIRECTIONAL + : DMA_TO_DEVICE); + if (ret) +- goto e_ctx; ++ goto e_aad; + + if (in_place) { + dst = src; +@@ -868,7 +868,7 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue + op.u.aes.size = 0; + ret = cmd_q->ccp->vdata->perform->aes(&op); + if (ret) +- goto e_dst; ++ goto e_final_wa; + + if (aes->action == CCP_AES_ACTION_ENCRYPT) { + /* Put the ciphered tag after the ciphertext. */ +@@ -878,17 +878,19 @@ ccp_run_aes_gcm_cmd(struct ccp_cmd_queue + ret = ccp_init_dm_workarea(&tag, cmd_q, authsize, + DMA_BIDIRECTIONAL); + if (ret) +- goto e_tag; ++ goto e_final_wa; + ret = ccp_set_dm_area(&tag, 0, p_tag, 0, authsize); +- if (ret) +- goto e_tag; ++ if (ret) { ++ ccp_dm_free(&tag); ++ goto e_final_wa; ++ } + + ret = crypto_memneq(tag.address, final_wa.address, + authsize) ? -EBADMSG : 0; + ccp_dm_free(&tag); + } + +-e_tag: ++e_final_wa: + ccp_dm_free(&final_wa); + + e_dst: diff --git a/queue-4.14/series b/queue-4.14/series index 03afdb681cd..892d0c62ea1 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -68,3 +68,4 @@ arm64-extend-workaround-for-erratum-1024718-to-all-versions-of-cortex-a55.patch hso-fix-bailout-in-error-case-of-probe.patch usb-hso-fix-error-handling-code-of-hso_create_net_device.patch usb-hso-remove-the-bailout-parameter.patch +crypto-ccp-fix-resource-leaks-in-ccp_run_aes_gcm_cmd.patch -- 2.47.3