From 763d9a302ab18da0a0078c9788ed6566d0c974e3 Mon Sep 17 00:00:00 2001
From: Salvatore Benedetto <salvatore.benedetto@intel.com>
Date: Tue, 25 Apr 2017 16:59:47 +0100
Subject: Bluetooth: allocate data for kpp on heap

Bluetooth would crash when computing ECDH keys with kpp
if VMAP_STACK is enabled. Fix by allocating data passed
to kpp on heap.

Fixes: 58771c1c ("Bluetooth: convert smp and selftest to crypto kpp
API")
Signed-off-by: Salvatore Benedetto <salvatore.benedetto@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
 net/bluetooth/ecdh_helper.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'net/bluetooth/ecdh_helper.c')

diff --git a/net/bluetooth/ecdh_helper.c b/net/bluetooth/ecdh_helper.c
index b6d9aa155485..579684bfc322 100644
--- a/net/bluetooth/ecdh_helper.c
+++ b/net/bluetooth/ecdh_helper.c
@@ -59,16 +59,19 @@ bool compute_ecdh_secret(const u8 public_key[64], const u8 private_key[32],
 	struct ecdh p;
 	struct ecdh_completion result;
 	struct scatterlist src, dst;
-	u8 tmp[64];
-	u8 *buf;
+	u8 *tmp, *buf;
 	unsigned int buf_len;
 	int err = -ENOMEM;
 
+	tmp = kmalloc(64, GFP_KERNEL);
+	if (!tmp)
+		return false;
+
 	tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
 	if (IS_ERR(tfm)) {
 		pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n",
 		       PTR_ERR(tfm));
-		return false;
+		goto free_tmp;
 	}
 
 	req = kpp_request_alloc(tfm, GFP_KERNEL);
@@ -128,6 +131,8 @@ free_req:
 	kpp_request_free(req);
 free_kpp:
 	crypto_free_kpp(tfm);
+free_tmp:
+	kfree(tmp);
 	return (err == 0);
 }
 
@@ -138,18 +143,21 @@ bool generate_ecdh_keys(u8 public_key[64], u8 private_key[32])
 	struct ecdh p;
 	struct ecdh_completion result;
 	struct scatterlist dst;
-	u8 tmp[64];
-	u8 *buf;
+	u8 *tmp, *buf;
 	unsigned int buf_len;
 	int err = -ENOMEM;
 	const unsigned short max_tries = 16;
 	unsigned short tries = 0;
 
+	tmp = kmalloc(64, GFP_KERNEL);
+	if (!tmp)
+		return false;
+
 	tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
 	if (IS_ERR(tfm)) {
 		pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n",
 		       PTR_ERR(tfm));
-		return false;
+		goto free_tmp;
 	}
 
 	req = kpp_request_alloc(tfm, GFP_KERNEL);
@@ -219,5 +227,7 @@ free_req:
 	kpp_request_free(req);
 free_kpp:
 	crypto_free_kpp(tfm);
+free_tmp:
+	kfree(tmp);
 	return (err == 0);
 }
-- 
cgit