From patchwork Wed Dec 20 22:28:25 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10126761
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	5BE9F60245 for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 20 Dec 2017 22:30:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4D6B8298DC
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 20 Dec 2017 22:30:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 4096D298E8; Wed, 20 Dec 2017 22:30:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E800C298DC
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 20 Dec 2017 22:30:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756763AbdLTWai (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Wed, 20 Dec 2017 17:30:38 -0500
Received: from mail-it0-f66.google.com ([209.85.214.66]:34318 "EHLO
	mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755747AbdLTWaf (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Wed, 20 Dec 2017 17:30:35 -0500
Received: by mail-it0-f66.google.com with SMTP id m11so12823039iti.1;
	Wed, 20 Dec 2017 14:30:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=2itZtbLgpbX1Oz0ZtGqygiMWlExrr0EZ+NH/s8MG2+g=;
	b=UQ/KopwqJ7MA3TFbFAzu8FAqbqANHYMKwFW7XhZX5ULOxZ4nKuUiZjHbPzfKiLo3sn
	IbA/WYboUtuG0QLY3t53uT55Vfjypm3GZx1OKdidrrTnLlZdzAy0DUqB/Gy+IIowEM5q
	oS43ZAQGa31cDIqC78Y5bdp3ArbT9+/c1HL820PsTrroLUEmILX6EuBpHKT3IKkJt98n
	RbnNHGoThwr/dldU0g+WFew6ucvWejwHTNSum/PLor4qQYrsDECiMPdC/YZC2X8HPyPe
	uCzozdYv0e0zO+4f90bdyj35PGVup2cb9XqCDpvJyqqaLGrCtenNSBYuEI7YRBsfGGOK
	+huA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=2itZtbLgpbX1Oz0ZtGqygiMWlExrr0EZ+NH/s8MG2+g=;
	b=dO/aQqO0Eel4UJqhSf/G+MEJ5JAQEkV4sa2eO9hUn1XSC9wDojCRGOKIivKGyGlMbA
	F+PT+YyTX2nI81c8gN7OLXJm87ZmAzk8Htspjin5fdBy1gkzDspffUGa5/Zmmvez/BLc
	WO6a4R4zJLPo4mGGpPA+u5VraHkybYwcTNsY8FgKwskW0UndUj5w7ryuQrfhK5IY3MbP
	bdOZoMNyqqPmFwxWcSK7c4RMQaZ7V3vPAQh54wTlehqF3KYS/GGtH4uelnL9JeYx5Hqx
	4nlaKnUJk6tG6TFMyW90UyLbQzZivKllSI2dXVta9RazkIgCZRLcSpdUyZDUfNqHuID0
	cS9w==
X-Gm-Message-State: AKGB3mKfqaKalarK4djzyYgiM/i96f8+1zgP8PSOaBEkinLnPbzq3PJQ
	/D6fCtbwYPis3YLeOHuvzWwieucb
X-Google-Smtp-Source: 
 ACJfBosUgbZQaaVlfFkx/hC1/vpTWOvhHElSyIjpVv/NmdfxDy24WsghWbmq7aSZ75clb46CN94r+g==
X-Received: by 10.36.17.15 with SMTP id 15mr10327976itf.53.1513809034777;
	Wed, 20 Dec 2017 14:30:34 -0800 (PST)
Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88])
	by smtp.gmail.com with ESMTPSA id
	g9sm1242543ioi.81.2017.12.20.14.30.33
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 20 Dec 2017 14:30:34 -0800 (PST)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-crypto@vger.kernel.org
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
	Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: [PATCH] crypto: pcrypt - fix freeing pcrypt instances
Date: Wed, 20 Dec 2017 14:28:25 -0800
Message-Id: <20171220222825.207321-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.15.1.620.gb9897f4670-goog
In-Reply-To: <94eb2c05a380d3908b056096eb58@google.com>
References: <94eb2c05a380d3908b056096eb58@google.com>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

pcrypt is using the old way of freeing instances, where the ->free()
method specified in the 'struct crypto_template' is passed a pointer to
the 'struct crypto_instance'.  But the crypto_instance is being
kfree()'d directly, which is incorrect because the memory was actually
allocated as an aead_instance, which contains the crypto_instance at a
nonzero offset.  Thus, the wrong pointer was being kfree()'d.

Fix it by switching to the new way to free aead_instance's where the
->free() method is specified in the aead_instance itself.

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface")
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/pcrypt.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
index ee9cfb99fe25..f8ec3d4ba4a8 100644
--- a/crypto/pcrypt.c
+++ b/crypto/pcrypt.c
@@ -254,6 +254,14 @@ static void pcrypt_aead_exit_tfm(struct crypto_aead *tfm)
 	crypto_free_aead(ctx->child);
 }
 
+static void pcrypt_free(struct aead_instance *inst)
+{
+	struct pcrypt_instance_ctx *ctx = aead_instance_ctx(inst);
+
+	crypto_drop_aead(&ctx->spawn);
+	kfree(inst);
+}
+
 static int pcrypt_init_instance(struct crypto_instance *inst,
 				struct crypto_alg *alg)
 {
@@ -319,6 +327,8 @@ static int pcrypt_create_aead(struct crypto_template *tmpl, struct rtattr **tb,
 	inst->alg.encrypt = pcrypt_aead_encrypt;
 	inst->alg.decrypt = pcrypt_aead_decrypt;
 
+	inst->free = pcrypt_free;
+
 	err = aead_register_instance(tmpl, inst);
 	if (err)
 		goto out_drop_aead;
@@ -349,14 +359,6 @@ static int pcrypt_create(struct crypto_template *tmpl, struct rtattr **tb)
 	return -EINVAL;
 }
 
-static void pcrypt_free(struct crypto_instance *inst)
-{
-	struct pcrypt_instance_ctx *ctx = crypto_instance_ctx(inst);
-
-	crypto_drop_aead(&ctx->spawn);
-	kfree(inst);
-}
-
 static int pcrypt_cpumask_change_notify(struct notifier_block *self,
 					unsigned long val, void *data)
 {
@@ -469,7 +471,6 @@ static void pcrypt_fini_padata(struct padata_pcrypt *pcrypt)
 static struct crypto_template pcrypt_tmpl = {
 	.name = "pcrypt",
 	.create = pcrypt_create,
-	.free = pcrypt_free,
 	.module = THIS_MODULE,
 };