linux/drivers/crypto
Waiman Long ba439a6cbf crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
The following KASAN warning was printed when booting a 64-bit kernel
on some systems with Intel CPUs:

[   44.512826] ==================================================================
[   44.520165] BUG: KASAN: stack-out-of-bounds in find_first_bit+0xb0/0xc0
[   44.526786] Read of size 8 at addr ffff88041e02fc50 by task kworker/0:2/124

[   44.535253] CPU: 0 PID: 124 Comm: kworker/0:2 Tainted: G               X --------- ---  4.18.0-12.el8.x86_64+debug #1
[   44.545858] Hardware name: Intel Corporation PURLEY/PURLEY, BIOS BKVDTRL1.86B.0005.D08.1712070559 12/07/2017
[   44.555682] Workqueue: events work_for_cpu_fn
[   44.560043] Call Trace:
[   44.562502]  dump_stack+0x9a/0xe9
[   44.565832]  print_address_description+0x65/0x22e
[   44.570683]  ? find_first_bit+0xb0/0xc0
[   44.570689]  kasan_report.cold.6+0x92/0x19f
[   44.578726]  find_first_bit+0xb0/0xc0
[   44.578737]  adf_probe+0x9eb/0x19a0 [qat_c62x]
[   44.578751]  ? adf_remove+0x110/0x110 [qat_c62x]
[   44.591490]  ? mark_held_locks+0xc8/0x140
[   44.591498]  ? _raw_spin_unlock+0x30/0x30
[   44.591505]  ? trace_hardirqs_on_caller+0x381/0x570
[   44.604418]  ? adf_remove+0x110/0x110 [qat_c62x]
[   44.604427]  local_pci_probe+0xd4/0x180
[   44.604432]  ? pci_device_shutdown+0x110/0x110
[   44.617386]  work_for_cpu_fn+0x51/0xa0
[   44.621145]  process_one_work+0x8fe/0x16e0
[   44.625263]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   44.629799]  ? lock_acquire+0x14c/0x400
[   44.633645]  ? move_linked_works+0x12e/0x2a0
[   44.637928]  worker_thread+0x536/0xb50
[   44.641690]  ? __kthread_parkme+0xb6/0x180
[   44.645796]  ? process_one_work+0x16e0/0x16e0
[   44.650160]  kthread+0x30c/0x3d0
[   44.653400]  ? kthread_create_worker_on_cpu+0xc0/0xc0
[   44.658457]  ret_from_fork+0x3a/0x50

[   44.663557] The buggy address belongs to the page:
[   44.668350] page:ffffea0010780bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
[   44.676356] flags: 0x17ffffc0000000()
[   44.680023] raw: 0017ffffc0000000 ffffea0010780bc8 ffffea0010780bc8 0000000000000000
[   44.687769] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[   44.695510] page dumped because: kasan: bad access detected

[   44.702578] Memory state around the buggy address:
[   44.707372]  ffff88041e02fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.714593]  ffff88041e02fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.721810] >ffff88041e02fc00: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
[   44.729028]                                                  ^
[   44.734864]  ffff88041e02fc80: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
[   44.742082]  ffff88041e02fd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   44.749299] ==================================================================

Looking into the code:

  int ret, bar_mask;
    :
  for_each_set_bit(bar_nr, (const unsigned long *)&bar_mask,

It is casting a 32-bit integer pointer to a 64-bit unsigned long
pointer. There are two problems here. First, the 32-bit pointer address
may not be 64-bit aligned. Secondly, it is accessing an extra 4 bytes.

This is fixed by changing the bar_mask type to unsigned long.

Cc: <stable@vger.kernel.org>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-09-28 12:45:37 +08:00
..
amcc crypto: skcipher - remove useless setting of type flags 2018-07-09 00:30:27 +08:00
axis crypto: skcipher - remove useless setting of type flags 2018-07-09 00:30:27 +08:00
bcm crypto: aead - remove useless setting of type flags 2018-07-09 00:30:26 +08:00
caam crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic 2018-09-21 13:04:46 +08:00
cavium crypto: cavium/nitrox - fix for command corruption in queue full case with backlog submissions. 2018-08-25 19:50:44 +08:00
ccp crypto: ccp - add timeout support in the SEV command 2018-09-13 13:27:43 +08:00
ccree crypto: ccree - allow bigger than sector XTS op 2018-08-03 18:06:05 +08:00
chelsio crypto: chelsio - Fix memory corruption in DMA Mapped buffers. 2018-09-28 12:44:34 +08:00
hisilicon crypto: hisilicon - sec_send_request() can be static 2018-08-07 17:51:39 +08:00
inside-secure crypto: inside-secure - initialize first_rdesc to make GCC happy 2018-07-20 13:51:22 +08:00
marvell crypto: remove redundant type flags from tfm allocation 2018-07-09 00:30:29 +08:00
mediatek headers: separate linux/mod_devicetable.h from linux/platform_device.h 2018-07-07 17:52:26 +02:00
nx powerpc updates for 4.19 2018-08-17 11:32:50 -07:00
qat crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe() 2018-09-28 12:45:37 +08:00
qce Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
rockchip License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stm32 Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
sunxi-ss crypto: skcipher - remove useless setting of type flags 2018-07-09 00:30:27 +08:00
ux500 Char/Misc driver patches for 4.19-rc1 2018-08-18 11:04:51 -07:00
virtio Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-08-15 16:01:47 -07:00
vmx Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-08-29 13:38:39 -07:00
Kconfig crypto: hisilicon - SEC security accelerator driver 2018-08-03 18:06:02 +08:00
Makefile crypto: hisilicon - SEC security accelerator driver 2018-08-03 18:06:02 +08:00
atmel-aes-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-aes.c crypto: atmel-aes - fix the keys zeroing on errors 2018-03-03 00:03:40 +08:00
atmel-authenc.h crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes 2017-02-03 18:16:14 +08:00
atmel-ecc.c crypto: atmel-ecc - remove overly verbose dev_info 2018-06-22 23:03:08 +08:00
atmel-ecc.h crypto: atmel-ecc - introduce Microchip / Atmel ECC driver 2017-07-18 17:50:58 +08:00
atmel-sha-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-sha.c crypto: remove redundant type flags from tfm allocation 2018-07-09 00:30:29 +08:00
atmel-tdes-regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atmel-tdes.c crypto: atmel - Delete error messages for a failed memory allocation in six functions 2018-02-22 22:17:00 +08:00
exynos-rng.c crypto: drivers - simplify getting .drvdata 2018-04-28 16:09:35 +08:00
geode-aes.c crypto: geode-aes - fixed coding style warnings and error 2017-07-18 18:15:57 +08:00
geode-aes.h
hifn_795x.c crypto: hifn_795x - Fix a memory leak in the error handling path of 'hifn_probe()' 2017-11-29 17:33:30 +11:00
img-hash.c crypto: img-hash - remove unnecessary static in img_hash_remove() 2017-08-03 13:47:18 +08:00
ixp4xx_crypto.c crypto: ixp4xx - don't leak pointers to authenc keys 2018-03-31 01:33:12 +08:00
mxc-scc.c crypto: mxc-scc - fix error code in mxc_scc_probe() 2017-07-18 17:50:54 +08:00
mxs-dcp.c crypto: mxs-dcp - Fix wait logic on chan threads 2018-09-28 12:45:37 +08:00
n2_asm.S License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
n2_core.c crypto: ahash - remove useless setting of type flags 2018-07-09 00:30:25 +08:00
n2_core.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
omap-aes-gcm.c crypto: omap-aes - pr_err() strings should end with newlines 2017-10-12 22:54:51 +08:00
omap-aes.c crypto: omap-aes - make queue length configurable 2018-03-09 22:45:39 +08:00
omap-aes.h crypto: omap - convert to new crypto engine API 2018-02-15 23:26:51 +08:00
omap-crypto.c crypto: omap-crypto - Verify page zone scatterlists before starting DMA 2018-03-09 22:45:36 +08:00
omap-crypto.h crypto: omap - add base support library for common routines 2017-06-10 12:04:15 +08:00
omap-des.c crypto: omap - convert to new crypto engine API 2018-02-15 23:26:51 +08:00
omap-sham.c crypto: ahash - remove useless setting of type flags 2018-07-09 00:30:25 +08:00
padlock-aes.c crypto: padlock-aes - Fix Nano workaround data corruption 2018-07-20 13:47:42 +08:00
padlock-sha.c crypto: shash - remove useless setting of type flags 2018-07-09 00:30:24 +08:00
picoxcell_crypto.c crypto: drivers - simplify getting .drvdata 2018-04-28 16:09:35 +08:00
picoxcell_crypto_regs.h
qcom-rng.c crypto: qcom-rng - Add ACPI support 2018-07-27 19:04:32 +08:00
s5p-sss.c crypto: ahash - remove useless setting of type flags 2018-07-09 00:30:25 +08:00
sahara.c crypto: sharah - Unregister correct algorithms for SAHARA 3 2018-07-20 13:51:22 +08:00
talitos.c crypto: ahash - remove useless setting of cra_type 2018-07-09 00:30:26 +08:00
talitos.h crypto: talitos - chain in buffered data for ahash on SEC1 2017-10-12 22:55:38 +08:00