crypto: xts - Fix use-after-free on EINPROGRESS

When we get an EINPROGRESS completion in xts, we will end up marking the request as done and freeing it. This then blows up when the request is really completed as we've already freed the memory. Fixes: f1c131b ("crypto: xts - Convert to skcipher") Cc: <[email protected]> Reported-by: Nathan Royce <[email protected]> Reported-by: Krzysztof Kozlowski <[email protected]> Signed-off-by: Herbert Xu <[email protected]> Tested-by: Krzysztof Kozlowski <[email protected]>
CamonZ · Apr 10, 2017 · aa4a829 · aa4a829
1 parent 40c98cb
commit aa4a829
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/crypto/xts.c b/crypto/xts.c
@@ -286,13 +286,21 @@ static void encrypt_done(struct crypto_async_request *areq, int err)
 	struct rctx *rctx;
 
 	rctx = skcipher_request_ctx(req);
+
+	if (err == -EINPROGRESS) {
+		if (rctx->left != req->cryptlen)
+			return;
+		goto out;
+	}
+
 	subreq = &rctx->subreq;
 	subreq->base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
 
 	err = do_encrypt(req, err ?: post_crypt(req));
 	if (rctx->left)
 		return;
 
+out:
 	skcipher_request_complete(req, err);
 }
 
@@ -330,13 +338,21 @@ static void decrypt_done(struct crypto_async_request *areq, int err)
 	struct rctx *rctx;
 
 	rctx = skcipher_request_ctx(req);
+
+	if (err == -EINPROGRESS) {
+		if (rctx->left != req->cryptlen)
+			return;
+		goto out;
+	}
+
 	subreq = &rctx->subreq;
 	subreq->base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
 
 	err = do_decrypt(req, err ?: post_crypt(req));
 	if (rctx->left)
 		return;
 
+out:
 	skcipher_request_complete(req, err);
 }