RE: [PATCH v2 2/2] crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req()
From: Gonglei (Arei)
Date: Tue May 26 2020 - 08:00:46 EST
> -----Original Message-----
> From: Longpeng (Mike, Cloud Infrastructure Service Product Dept.)
> Sent: Tuesday, May 26, 2020 11:20 AM
> To: linux-crypto@xxxxxxxxxxxxxxx
> Cc: Longpeng (Mike, Cloud Infrastructure Service Product Dept.)
> <longpeng2@xxxxxxxxxx>; LABBE Corentin <clabbe@xxxxxxxxxxxx>; Gonglei
> (Arei) <arei.gonglei@xxxxxxxxxx>; Herbert Xu
> <herbert@xxxxxxxxxxxxxxxxxxx>; Michael S. Tsirkin <mst@xxxxxxxxxx>; Jason
> Wang <jasowang@xxxxxxxxxx>; David S. Miller <davem@xxxxxxxxxxxxx>;
> Markus Elfring <Markus.Elfring@xxxxxx>;
> virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx;
> stable@xxxxxxxxxxxxxxx
> Subject: [PATCH v2 2/2] crypto: virtio: Fix use-after-free in
> virtio_crypto_skcipher_finalize_req()
>
> The system'll crash when the users insmod crypto/tcrypto.ko with mode=155
> ( testing "authenc(hmac(sha1),cbc(aes))" ). It's caused by reuse the memory of
> request structure.
>
> In crypto_authenc_init_tfm(), the reqsize is set to:
> [PART 1] sizeof(authenc_request_ctx) +
> [PART 2] ictx->reqoff +
> [PART 3] MAX(ahash part, skcipher part) and the 'PART 3' is used by both
> ahash and skcipher in turn.
>
> When the virtio_crypto driver finish skcipher req, it'll call ->complete callback(in
> crypto_finalize_skcipher_request) and then free its resources whose pointers
> are recorded in 'skcipher parts'.
>
> However, the ->complete is 'crypto_authenc_encrypt_done' in this case, it will
> use the 'ahash part' of the request and change its content, so virtio_crypto
> driver will get the wrong pointer after ->complete finish and mistakenly free
> some other's memory. So the system will crash when these memory will be used
> again.
>
> The resources which need to be cleaned up are not used any more. But the
> pointers of these resources may be changed in the function
> "crypto_finalize_skcipher_request". Thus release specific resources before
> calling this function.
>
> Fixes: dbaf0624ffa5 ("crypto: add virtio-crypto driver")
> Reported-by: LABBE Corentin <clabbe@xxxxxxxxxxxx>
> Cc: Gonglei <arei.gonglei@xxxxxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: "Michael S. Tsirkin" <mst@xxxxxxxxxx>
> Cc: Jason Wang <jasowang@xxxxxxxxxx>
> Cc: "David S. Miller" <davem@xxxxxxxxxxxxx>
> Cc: Markus Elfring <Markus.Elfring@xxxxxx>
> Cc: virtualization@xxxxxxxxxxxxxxxxxxxxxxxxxx
> Cc: linux-kernel@xxxxxxxxxxxxxxx
> Cc: stable@xxxxxxxxxxxxxxx
> Message-Id: <20200123101000.GB24255@Red>
> Signed-off-by: Longpeng(Mike) <longpeng2@xxxxxxxxxx>
> ---
Acked-by: Gonglei <arei.gonglei@xxxxxxxxxx>
Regards,
-Gonglei
> drivers/crypto/virtio/virtio_crypto_algs.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/crypto/virtio/virtio_crypto_algs.c
> b/drivers/crypto/virtio/virtio_crypto_algs.c
> index 5f8243563009..52261b6c247e 100644
> --- a/drivers/crypto/virtio/virtio_crypto_algs.c
> +++ b/drivers/crypto/virtio/virtio_crypto_algs.c
> @@ -582,10 +582,11 @@ static void virtio_crypto_skcipher_finalize_req(
> scatterwalk_map_and_copy(req->iv, req->dst,
> req->cryptlen - AES_BLOCK_SIZE,
> AES_BLOCK_SIZE, 0);
> - crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
> - req, err);
> kzfree(vc_sym_req->iv);
> virtcrypto_clear_request(&vc_sym_req->base);
> +
> + crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
> + req, err);
> }
>
> static struct virtio_crypto_algo virtio_crypto_algs[] = { {
> --
> 2.23.0