diff options
author | Salvatore Benedetto <salvatore.benedetto@intel.com> | 2017-04-25 16:59:47 +0100 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2017-04-30 12:22:05 +0200 |
commit | 763d9a302ab18da0a0078c9788ed6566d0c974e3 (patch) | |
tree | ccc0213c60b3d08a9292493b27f6ad4a5cb25c1a /net/bluetooth/ecdh_helper.c | |
parent | 58771c1cb0023fdd744e76d6cad7716dc4f579ee (diff) | |
download | lwn-763d9a302ab18da0a0078c9788ed6566d0c974e3.tar.gz lwn-763d9a302ab18da0a0078c9788ed6566d0c974e3.zip |
Bluetooth: allocate data for kpp on heap
Bluetooth would crash when computing ECDH keys with kpp
if VMAP_STACK is enabled. Fix by allocating data passed
to kpp on heap.
Fixes: 58771c1c ("Bluetooth: convert smp and selftest to crypto kpp
API")
Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/ecdh_helper.c')
-rw-r--r-- | net/bluetooth/ecdh_helper.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/net/bluetooth/ecdh_helper.c b/net/bluetooth/ecdh_helper.c index b6d9aa155485..579684bfc322 100644 --- a/net/bluetooth/ecdh_helper.c +++ b/net/bluetooth/ecdh_helper.c @@ -59,16 +59,19 @@ bool compute_ecdh_secret(const u8 public_key[64], const u8 private_key[32], struct ecdh p; struct ecdh_completion result; struct scatterlist src, dst; - u8 tmp[64]; - u8 *buf; + u8 *tmp, *buf; unsigned int buf_len; int err = -ENOMEM; + tmp = kmalloc(64, GFP_KERNEL); + if (!tmp) + return false; + tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); if (IS_ERR(tfm)) { pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n", PTR_ERR(tfm)); - return false; + goto free_tmp; } req = kpp_request_alloc(tfm, GFP_KERNEL); @@ -128,6 +131,8 @@ free_req: kpp_request_free(req); free_kpp: crypto_free_kpp(tfm); +free_tmp: + kfree(tmp); return (err == 0); } @@ -138,18 +143,21 @@ bool generate_ecdh_keys(u8 public_key[64], u8 private_key[32]) struct ecdh p; struct ecdh_completion result; struct scatterlist dst; - u8 tmp[64]; - u8 *buf; + u8 *tmp, *buf; unsigned int buf_len; int err = -ENOMEM; const unsigned short max_tries = 16; unsigned short tries = 0; + tmp = kmalloc(64, GFP_KERNEL); + if (!tmp) + return false; + tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); if (IS_ERR(tfm)) { pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n", PTR_ERR(tfm)); - return false; + goto free_tmp; } req = kpp_request_alloc(tfm, GFP_KERNEL); @@ -219,5 +227,7 @@ free_req: kpp_request_free(req); free_kpp: crypto_free_kpp(tfm); +free_tmp: + kfree(tmp); return (err == 0); } |