On Wed, Feb 23, 2022 at 05:47:25PM -0800, Eric Biggers wrote:
On Wed, Feb 23, 2022 at 10:04:00AM +0200, Gilad Ben-Yossef wrote:
the drbg code was binding the same buffer to two different scatter gather lists and submitting those as source and destination to a crypto api operation, thus potentially causing HW crypto drivers to perform overlapping DMA mappings which are not aware it is the same buffer.
This can have serious consequences of data corruption of internal DRBG buffers and wrong RNG output.
Fix this by reusing the same scatter gatther list for both src and dst.
Signed-off-by: Gilad Ben-Yossef gilad@benyossef.com Reported-by: Corentin Labbe clabbe.montjoie@gmail.com Tested-by: Corentin Labbe clabbe.montjoie@gmail.com Tested-on: r8a7795-salvator-x Tested-on: xilinx-zc706 Fixes: 43490e8046b5d ("crypto: drbg - in-place cipher operation for CTR") Cc: stable@vger.kernel.org
Where is it documented and tested that the API doesn't allow this? I wasn't aware of this case; it sounds perfectly allowed to me. There might be a lot of other users who do this, not just drbg.c.
Just quickly looking through the code I maintain, there is another place that uses scatterlists like this: in fscrypt_crypt_block() in fs/crypto/crypto.c, the source and destination can be the same. That's just the code I maintain; I'm sure if you looked through the whole kernel you'd find a lot more.
This sounds more like a driver bug, and a case we need to add self-tests for.
- Eric