mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
2124 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Eric Biggers
|
1b5dd7104e |
FROMGIT: crypto: speck - add support for the Speck block cipher
Add a generic implementation of Speck, including the Speck128 and Speck64 variants. Speck is a lightweight block cipher that can be much faster than AES on processors that don't have AES instructions. We are planning to offer Speck-XTS (probably Speck128/256-XTS) as an option for dm-crypt and fscrypt on Android, for low-end mobile devices with older CPUs such as ARMv7 which don't have the Cryptography Extensions. Currently, such devices are unencrypted because AES is not fast enough, even when the NEON bit-sliced implementation of AES is used. Other AES alternatives such as Twofish, Threefish, Camellia, CAST6, and Serpent aren't fast enough either; it seems that only a modern ARX cipher can provide sufficient performance on these devices. This is a replacement for our original proposal (https://patchwork.kernel.org/patch/10101451/) which was to offer ChaCha20 for these devices. However, the use of a stream cipher for disk/file encryption with no space to store nonces would have been much more insecure than we thought initially, given that it would be used on top of flash storage as well as potentially on top of F2FS, neither of which is guaranteed to overwrite data in-place. Speck has been somewhat controversial due to its origin. Nevertheless, it has a straightforward design (it's an ARX cipher), and it appears to be the leading software-optimized lightweight block cipher currently, with the most cryptanalysis. It's also easy to implement without side channels, unlike AES. Moreover, we only intend Speck to be used when the status quo is no encryption, due to AES not being fast enough. We've also considered a novel length-preserving encryption mode based on ChaCha20 and Poly1305. While theoretically attractive, such a mode would be a brand new crypto construction and would be more complicated and difficult to implement efficiently in comparison to Speck-XTS. There is confusion about the byte and word orders of Speck, since the original paper doesn't specify them. But we have implemented it using the orders the authors recommended in a correspondence with them. The test vectors are taken from the original paper but were mapped to byte arrays using the recommended byte and word orders. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit da7a0ab5b4babbe5d7a46f852582be06a00a28f0 git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master) Change-Id: Id13c44dee8e3817590950c178d54b24c3aee0b4e Signed-off-by: Eric Biggers <ebiggers@google.com> |
||
Greg Kroah-Hartman
|
474d3c467b |
This is the 4.14.21 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqO1toACgkQONu9yGCS
aT49JhAAjKxDe1PA6lq51uyWHlR73vJ93SvtDCHuM8s6aj/rb880vjeZumWcEAdR
nl2Yj/T0z9yZkBrw8Om/3BX4PfsF6hqq1TAufxYeKs08nVQ60v3/a4Mz9CYu8e0A
mXdK6DvSEQRS6S0vc83W2+fj5e05Vfvv23FlsngtH6IxaOL7mnRTxNmP5/PMP3QX
xtOKRBB7ghqqfV8U+yAJ0fbTKu0a+ztPLxCe2Lk+7U7yFpqLudzBfTV06QpcqwSF
fXdRWv8319c24585qubm2N1zDJ8PsxlcFWmvgbcZgO+lk1Zf4XuzxjsElg6PpYvT
m+8L1/Qo4k+L3eXJJiwLPqd6LP9VtspvRItZKMFMPZJNWLdk9tnjcLuA/HpTUvo9
EO/fXBP3YrX48TrjGIu9K4ToZvLFWGcDno5Vges0fb2MkixWF5b2naEdeS+B7SF2
ckYAWuoZPErmmNo6bhIkdizube6k8t+Ch7JxkxWgZh+Jw80drqSBzfdWKTLMl3k0
Nvo8RdbuSrDSg40NHT/d46tBguMp9n/J8eu6f/poN1VZRdqZkgqZ7xHjl7vgRRkg
nfcVndDTw099hhC0OuWVHJMpk62wVz+tRPNOR/yCucDPH1//HuEZ62sQzcjpPQ9l
ML2MD4zrTORK9VuztJFET8feWQ4KrqoSdE8HMD+TtMhhShcZcJA=
=vnDS
-----END PGP SIGNATURE-----
Merge 4.14.21 into android-4.14
Changes in 4.14.21
tracing: Prevent PROFILE_ALL_BRANCHES when FORTIFY_SOURCE=y
scsi: smartpqi: allow static build ("built-in")
IB/umad: Fix use of unprotected device pointer
IB/qib: Fix comparison error with qperf compare/swap test
IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
IB/core: Fix two kernel warnings triggered by rxe registration
IB/core: Fix ib_wc structure size to remain in 64 bytes boundary
IB/core: Avoid a potential OOPs for an unused optional parameter
selftests: seccomp: fix compile error seccomp_bpf
kselftest: fix OOM in memory compaction test
RDMA/rxe: Fix a race condition related to the QP error state
RDMA/rxe: Fix a race condition in rxe_requester()
RDMA/rxe: Fix rxe_qp_cleanup()
cpufreq: powernv: Dont assume distinct pstate values for nominal and pmin
swiotlb: suppress warning when __GFP_NOWARN is set
PM / devfreq: Propagate error from devfreq_add_device()
mwifiex: resolve reset vs. remove()/shutdown() deadlocks
ocfs2: try a blocking lock before return AOP_TRUNCATED_PAGE
powerpc/radix: Remove trace_tlbie call from radix__flush_tlb_all
powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove
powerpc/mm: Flush radix process translations when setting MMU type
powerpc/xive: Use hw CPU ids when configuring the CPU queues
powerpc: Fix DABR match on hash based systems
dma-buf: fix reservation_object_wait_timeout_rcu once more v2
s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
arm64: dts: msm8916: Correct ipc references for smsm
ARM: lpc3250: fix uda1380 gpio numbers
ARM: dts: STi: Add gpio polarity for "hdmi,hpd-gpio" property
ARM: dts: nomadik: add interrupt-parent for clcd
arm: dts: mt7623: fix card detection issue on bananapi-r2
arm: spear600: Add missing interrupt-parent of rtc
arm: spear13xx: Fix dmas cells
arm: spear13xx: Fix spics gpio controller's warning
drm/i915: add GT number to intel_device_info
drm/i915/kbl: Change a KBL pci id to GT2 from GT1.5
x86/gpu: add CFL to early quirks
x86/kexec: Make kexec (mostly) work in 5-level paging mode
x86/xen: init %gs very early to avoid page faults with stack protector
x86: PM: Make APM idle driver initialize polling state
x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface
x86/entry/64/compat: Clear registers for compat syscalls, to reduce speculation attack surface
compiler-gcc.h: Introduce __optimize function attribute
compiler-gcc.h: __nostackprotector needs gcc-4.4 and up
crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate
crypto: sun4i_ss_prng - convert lock to _bh in sun4i_ss_prng_generate
powerpc/mm/radix: Split linear mapping on hot-unplug
x86/mm/pti: Fix PTI comment in entry_SYSCALL_64()
x86/speculation: Update Speculation Control microcode blacklist
x86/speculation: Correct Speculation Control microcode blacklist again
Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()"
KVM/x86: Reduce retpoline performance impact in slot_handle_level_range(), by always inlining iterator helper methods
X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 MSR bitmap
x86/speculation: Clean up various Spectre related details
PM / runtime: Update links_count also if !CONFIG_SRCU
PM: cpuidle: Fix cpuidle_poll_state_init() prototype
x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface
x86/entry/64: Merge SAVE_C_REGS and SAVE_EXTRA_REGS, remove unused extensions
x86/entry/64: Merge the POP_C_REGS and POP_EXTRA_REGS macros into a single POP_REGS macro
x86/entry/64: Interleave XOR register clearing with PUSH instructions
x86/entry/64: Introduce the PUSH_AND_CLEAN_REGS macro
x86/entry/64: Use PUSH_AND_CLEAN_REGS in more cases
x86/entry/64: Get rid of the ALLOC_PT_GPREGS_ON_STACK and SAVE_AND_CLEAR_REGS macros
x86/entry/64: Indent PUSH_AND_CLEAR_REGS and POP_REGS properly
x86/entry/64: Fix paranoid_entry() frame pointer warning
x86/entry/64: Remove the unused 'icebp' macro
selftests/x86: Fix vDSO selftest segfault for vsyscall=none
selftests/x86: Clean up and document sscanf() usage
selftests/x86/pkeys: Remove unused functions
selftests/x86: Do not rely on "int $0x80" in test_mremap_vdso.c
selftests/x86: Do not rely on "int $0x80" in single_step_syscall.c
selftests/x86: Disable tests requiring 32-bit support on pure 64-bit systems
objtool: Fix segfault in ignore_unreachable_insn()
x86/debug, objtool: Annotate WARN()-related UD2 as reachable
x86/debug: Use UD2 for WARN()
x86/speculation: Fix up array_index_nospec_mask() asm constraint
nospec: Move array_index_nospec() parameter checking into separate macro
x86/speculation: Add <asm/msr-index.h> dependency
kmemcheck: remove annotations
kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK
kmemcheck: remove whats left of NOTRACK flags
kmemcheck: rip it out
kmemcheck: rip it out for real
x86/mm: Rename flush_tlb_single() and flush_tlb_one() to __flush_tlb_one_[user|kernel]()
selftests/x86/mpx: Fix incorrect bounds with old _sigfault
x86/cpu: Rename cpu_data.x86_mask to cpu_data.x86_stepping
x86/spectre: Fix an error message
x86/cpu: Change type of x86_cache_size variable to unsigned int
x86/entry/64: Fix CR3 restore in paranoid_exit()
drm/ttm: Don't add swapped BOs to swap-LRU list
drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2)
drm/qxl: unref cursor bo when finished with it
drm/amd/powerplay: Fix smu_table_entry.handle type
drm/ast: Load lut in crtc_commit
arm64: Add missing Falkor part number for branch predictor hardening
drm/radeon: Add dpm quirk for Jet PRO (v2)
drm/radeon: adjust tested variable
rtc-opal: Fix handling of firmware error codes, prevent busy loops
mbcache: initialize entry->e_referenced in mb_cache_entry_create()
mmc: sdhci: Implement an SDHCI-specific bounce buffer
mmc: bcm2835: Don't overwrite max frequency unconditionally
Revert "mmc: meson-gx: include tx phase in the tuning process"
mlx5: fix mlx5_get_vector_affinity to start from completion vector 0
Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
jbd2: fix sphinx kernel-doc build warnings
ext4: fix a race in the ext4 shutdown path
ext4: save error to disk in __ext4_grp_locked_error()
ext4: correct documentation for grpid mount option
mm: hide a #warning for COMPILE_TEST
mm: Fix memory size alignment in devm_memremap_pages_release()
MIPS: Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN
MIPS: Fix incorrect mem=X@Y handling
PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode
PCI: iproc: Fix NULL pointer dereference for BCMA
PCI: keystone: Fix interrupt-controller-node lookup
video: fbdev: atmel_lcdfb: fix display-timings lookup
console/dummy: leave .con_font_get set to NULL
rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests
xenbus: track caller request id
seq_file: fix incomplete reset on read from zero offset
tracing: Fix parsing of globs with a wildcard at the beginning
mpls, nospec: Sanitize array index in mpls_label_ok()
rtlwifi: rtl8821ae: Fix connection lost problem correctly
arm64: proc: Set PTE_NG for table entries to avoid traversing them twice
qxl: alloc & use shadow for dumb buffers
drm/qxl: reapply cursor after resetting primary
xprtrdma: Fix calculation of ri_max_send_sges
xprtrdma: Fix BUG after a device removal
blk-wbt: account flush requests correctly
target/iscsi: avoid NULL dereference in CHAP auth error path
iscsi-target: make sure to wake up sleeping login worker
dm: correctly handle chained bios in dec_pending()
Btrfs: fix deadlock in run_delalloc_nocow
Btrfs: fix crash due to not cleaning up tree log block's dirty bits
Btrfs: fix extent state leak from tree log
Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
Btrfs: fix use-after-free on root->orphan_block_rsv
Btrfs: fix unexpected -EEXIST when creating new inode
9p/trans_virtio: discard zero-length reply
mtd: nand: vf610: set correct ooblayout
ALSA: hda - Fix headset mic detection problem for two Dell machines
ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
ALSA: hda/realtek - Add headset mode support for Dell laptop
ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
ALSA: usb: add more device quirks for USB DSD devices
ALSA: seq: Fix racy pool initializations
mvpp2: fix multicast address filter
usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT
x86/mm, mm/hwpoison: Don't unconditionally unmap kernel 1:1 pages
scsi: core: check for device state in __scsi_remove_target()
Bluetooth: BT_HCIUART now depends on SERIAL_DEV_BUS
ARM: dts: exynos: fix RTC interrupt for exynos5410
ARM: pxa/tosa-bt: add MODULE_LICENSE tag
arm64: dts: msm8916: Add missing #phy-cells
ARM: dts: s5pv210: add interrupt-parent for ohci
arm: dts: mt7623: Update ethsys binding
arm: dts: mt2701: Add reset-cells
ARM: dts: Delete bogus reference to the charlcd
media: r820t: fix r820t_write_reg for KASAN
mmc: sdhci-of-esdhc: disable SD clock for clock value 0
mmc: sdhci-of-esdhc: fix eMMC couldn't work after kexec
mmc: sdhci-of-esdhc: fix the mmc error after sleep on ls1046ardb
ASoC: acpi: fix machine driver selection based on quirk
ovl: hash directory inodes for fsnotify
Linux 4.14.21
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Levin, Alexander (Sasha Levin)
|
ae63fd26b2 |
kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK
commit 75f296d93bcebcfe375884ddac79e30263a31766 upstream. Convert all allocations that used a NOTRACK flag to stop using it. Link: http://lkml.kernel.org/r/20171007030159.22241-3-alexander.levin@verizon.com Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Cc: Alexander Potapenko <glider@google.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Pekka Enberg <penberg@kernel.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Tim Hansen <devtimhansen@gmail.com> Cc: Vegard Nossum <vegardno@ifi.uio.no> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
0a91e84c5c |
This is the 4.14.20 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqHL6UACgkQONu9yGCS
aT47Lg/+Mbq1s2Vu+ZZ0Qt0fTsZeNE9GcM5tPgb0rcsoaBZUWncSCaFwI3M3RUPb
tQDrq+Fqmi/mloSuNFw1nGajWoilUB5KJOeRRXpPkS3Zzc92z8GW+12erHAiYXGt
XVK54PzIQNSeoBVJrtP+AYH7TSisj9cVJqe6Dz/GYIXY4aBA2xn1EvN/dkp/4YOX
S7w+RDS7BnNwqxpGy4l+/3m84j/IwG44kKG8RLiF1IPItK5BvlQJQDiUUDX0nLx+
1Tr2kMDN10YdrLV4dNGRZg54Va7wvmJ17ecN7F3JaIKOlJ+hvpoLndOR/mMVuj84
cixnr5ATug1RJmjrqloA95//jqecMzfn4ogATi8KiY6O7adnH0+/DcpQ14LXuRJx
WGP1S2xsvrSqqs2io0yWv+WFIhKBAE6RAa7gjMdz9I+/dy3eNMbzCS3y4q7VcYOB
xAT478ZtuZYEmseYM2lPNK51AkobO2pGC+TCBst6VQvbMN5BETdI4irj6yBOLez5
rgTVXJfogEUUhLFGNR26sytFbT1+RfEqQwe9EZlm2b/Aa5RB7MBOKSk82Jw/IQ9g
4TG0DNvakhWnJwfIHjraJ8uiB+uAGYfSRarIlle/Xb9WtNhfvhudUISlbPVHBh10
Z7rQpt52/xx0io5lg7d3VSbg/4mQQ2VYY6O5Y/6Ilqda51UVt9M=
=+7+H
-----END PGP SIGNATURE-----
Merge 4.14.20 into android-4.14
Changes in 4.14.20
watchdog: indydog: Add dependency on SGI_HAS_INDYDOG
powerpc/pseries: include linux/types.h in asm/hvcall.h
cifs: Fix missing put_xid in cifs_file_strict_mmap
cifs: Fix autonegotiate security settings mismatch
CIFS: zero sensitive data when freeing
cpufreq: mediatek: add mediatek related projects into blacklist
dmaengine: dmatest: fix container_of member in dmatest_callback
sched/wait: Fix add_wait_queue() behavioral change
watchdog: gpio_wdt: set WDOG_HW_RUNNING in gpio_wdt_stop
arm64: Define cputype macros for Falkor CPU
arm64: Add software workaround for Falkor erratum 1041
KVM MMU: check pending exception before injecting APF
sched/rt: Use container_of() to get root domain in rto_push_irq_work_func()
sched/rt: Up the root domain ref count when passing it around via IPIs
drm/i915: Add .get_hw_state() method for planes
drm/i915: Redo plane sanitation during readout
drm/i915: Fix deadlock in i830_disable_pipe()
dccp: CVE-2017-8824: use-after-free in DCCP code
media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
media: hdpvr: Fix an error handling path in hdpvr_probe()
arm64: move TASK_* definitions to <asm/processor.h>
arm64: mm: Use non-global mappings for kernel space
arm64: mm: Temporarily disable ARM64_SW_TTBR0_PAN
arm64: mm: Move ASID from TTBR0 to TTBR1
arm64: mm: Remove pre_ttbr0_update_workaround for Falkor erratum #E1003
arm64: mm: Rename post_ttbr0_update_workaround
arm64: mm: Fix and re-enable ARM64_SW_TTBR0_PAN
arm64: mm: Allocate ASIDs in pairs
arm64: mm: Add arm64_kernel_unmapped_at_el0 helper
arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI
arm64: entry: Add exception trampoline page for exceptions from EL0
arm64: mm: Map entry trampoline into trampoline and kernel page tables
arm64: entry: Explicitly pass exception level to kernel_ventry macro
arm64: entry: Hook up entry trampoline to exception vectors
arm64: erratum: Work around Falkor erratum #E1003 in trampoline code
arm64: cpu_errata: Add Kryo to Falkor 1003 errata
arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks
arm64: entry: Add fake CPU feature for unmapping the kernel at EL0
arm64: kaslr: Put kernel vectors address in separate data page
arm64: use RET instruction for exiting the trampoline
arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0
arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry
arm64: Take into account ID_AA64PFR0_EL1.CSV3
arm64: capabilities: Handle duplicate entries for a capability
arm64: mm: Introduce TTBR_ASID_MASK for getting at the ASID in the TTBR
arm64: kpti: Fix the interaction between ASID switching and software PAN
arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs
arm64: Turn on KPTI only on CPUs that need it
arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0()
arm64: mm: Permit transitioning from Global to Non-Global without BBM
arm64: kpti: Add ->enable callback to remap swapper using nG mappings
arm64: Force KPTI to be disabled on Cavium ThunderX
arm64: entry: Reword comment about post_ttbr_update_workaround
arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives
arm64: barrier: Add CSDB macros to control data-value prediction
arm64: Implement array_index_mask_nospec()
arm64: Make USER_DS an inclusive limit
arm64: Use pointer masking to limit uaccess speculation
arm64: entry: Ensure branch through syscall table is bounded under speculation
arm64: uaccess: Prevent speculative use of the current addr_limit
arm64: uaccess: Don't bother eliding access_ok checks in __{get, put}_user
arm64: uaccess: Mask __user pointers for __arch_{clear, copy_*}_user
arm64: futex: Mask __user pointers prior to dereference
arm64: cpufeature: __this_cpu_has_cap() shouldn't stop early
arm64: Run enable method for errata work arounds on late CPUs
arm64: cpufeature: Pass capability structure to ->enable callback
drivers/firmware: Expose psci_get_version through psci_ops structure
arm64: Move post_ttbr_update_workaround to C code
arm64: Add skeleton to harden the branch predictor against aliasing attacks
arm64: Move BP hardening to check_and_switch_context
arm64: KVM: Use per-CPU vector when BP hardening is enabled
arm64: entry: Apply BP hardening for high-priority synchronous exceptions
arm64: entry: Apply BP hardening for suspicious interrupts from EL0
arm64: cputype: Add missing MIDR values for Cortex-A72 and Cortex-A75
arm64: Implement branch predictor hardening for affected Cortex-A CPUs
arm64: Implement branch predictor hardening for Falkor
arm64: Branch predictor hardening for Cavium ThunderX2
arm64: KVM: Increment PC after handling an SMC trap
arm/arm64: KVM: Consolidate the PSCI include files
arm/arm64: KVM: Add PSCI_VERSION helper
arm/arm64: KVM: Add smccc accessors to PSCI code
arm/arm64: KVM: Implement PSCI 1.0 support
arm/arm64: KVM: Advertise SMCCC v1.1
arm64: KVM: Make PSCI_VERSION a fast path
arm/arm64: KVM: Turn kvm_psci_version into a static inline
arm64: KVM: Report SMCCC_ARCH_WORKAROUND_1 BP hardening support
arm64: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
firmware/psci: Expose PSCI conduit
firmware/psci: Expose SMCCC version through psci_ops
arm/arm64: smccc: Make function identifiers an unsigned quantity
arm/arm64: smccc: Implement SMCCC v1.1 inline primitive
arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support
arm64: Kill PSCI_GET_VERSION as a variant-2 workaround
mtd: cfi: convert inline functions to macros
mtd: nand: brcmnand: Disable prefetch by default
mtd: nand: Fix nand_do_read_oob() return value
mtd: nand: sunxi: Fix ECC strength choice
ubi: Fix race condition between ubi volume creation and udev
ubi: fastmap: Erase outdated anchor PEBs during attach
ubi: block: Fix locking for idr_alloc/idr_remove
ubifs: free the encrypted symlink target
nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
nfs41: do not return ENOMEM on LAYOUTUNAVAILABLE
NFS: Add a cond_resched() to nfs_commit_release_pages()
NFS: Fix nfsstat breakage due to LOOKUPP
NFS: commit direct writes even if they fail partially
NFS: reject request for id_legacy key without auxdata
NFS: Fix a race between mmap() and O_DIRECT
kernfs: fix regression in kernfs_fop_write caused by wrong type
ahci: Annotate PCI ids for mobile Intel chipsets as such
ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
ahci: Add Intel Cannon Lake PCH-H PCI ID
crypto: hash - introduce crypto_hash_alg_has_setkey()
crypto: cryptd - pass through absence of ->setkey()
crypto: mcryptd - pass through absence of ->setkey()
crypto: poly1305 - remove ->setkey() method
crypto: hash - annotate algorithms taking optional key
crypto: hash - prevent using keyed hashes without setting key
media: v4l2-ioctl.c: use check_fmt for enum/g/s/try_fmt
media: v4l2-ioctl.c: don't copy back the result for -ENOTTY
media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF
media: v4l2-compat-ioctl32.c: fix the indentation
media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32
media: v4l2-compat-ioctl32.c: avoid sizeof(type)
media: v4l2-compat-ioctl32.c: copy m.userptr in put_v4l2_plane32
media: v4l2-compat-ioctl32.c: fix ctrl_is_pointer
media: v4l2-compat-ioctl32.c: copy clip list in put_v4l2_window32
media: v4l2-compat-ioctl32.c: drop pr_info for unknown buffer type
media: v4l2-compat-ioctl32.c: don't copy back the result for certain errors
media: v4l2-compat-ioctl32.c: refactor compat ioctl32 logic
media: v4l2-compat-ioctl32.c: make ctrl_is_pointer work for subdevs
crypto: caam - fix endless loop when DECO acquire fails
crypto: sha512-mb - initialize pending lengths correctly
arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
KVM: nVMX: Fix races when sending nested PI while dest enters/leaves L2
KVM: nVMX: Fix bug of injecting L2 exception into L1
KVM: PPC: Book3S HV: Make sure we don't re-enter guest without XIVE loaded
KVM: PPC: Book3S HV: Drop locks before reading guest memory
KVM: arm/arm64: Handle CPU_PM_ENTER_FAILED
KVM: PPC: Book3S PR: Fix broken select due to misspelling
ASoC: rockchip: i2s: fix playback after runtime resume
ASoC: skl: Fix kernel warning due to zero NHTL entry
watchdog: imx2_wdt: restore previous timeout after suspend+resume
Btrfs: raid56: iterate raid56 internal bio with bio_for_each_segment_all
kasan: don't emit builtin calls when sanitization is off
kasan: rework Kconfig settings
media: dvb-frontends: fix i2c access helpers for KASAN
media: ts2020: avoid integer overflows on 32 bit machines
media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
fs/proc/kcore.c: use probe_kernel_read() instead of memcpy()
kernel/async.c: revert "async: simplify lowest_in_progress()"
kernel/relay.c: revert "kernel/relay.c: fix potential memory leak"
pipe: actually allow root to exceed the pipe buffer limits
pipe: fix off-by-one error when checking buffer limits
HID: quirks: Fix keyboard + touchpad on Toshiba Click Mini not working
Bluetooth: btsdio: Do not bind to non-removable BCM43341
Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"
Bluetooth: btusb: Restore QCA Rome suspend/resume fix with a "rewritten" version
ipmi: use dynamic memory for DMI driver override
signal/openrisc: Fix do_unaligned_access to send the proper signal
signal/sh: Ensure si_signo is initialized in do_divide_error
alpha: fix crash if pthread_create races with signal delivery
alpha: osf_sys.c: fix put_tv32 regression
alpha: Fix mixed up args in EXC macro in futex operations
alpha: fix reboot on Avanti platform
alpha: fix formating of stack content
xtensa: fix futex_atomic_cmpxchg_inatomic
EDAC, octeon: Fix an uninitialized variable warning
pinctrl: intel: Initialize GPIO properly when used through irqchip
pinctrl: mcp23s08: fix irq setup order
pinctrl: sx150x: Unregister the pinctrl on release
pinctrl: sx150x: Register pinctrl before adding the gpiochip
pinctrl: sx150x: Add a static gpio/pinctrl pin range mapping
pktcdvd: Fix pkt_setup_dev() error path
pktcdvd: Fix a recently introduced NULL pointer dereference
blk-mq: quiesce queue before freeing queue
clocksource/drivers/stm32: Fix kernel panic with multiple timers
lib/ubsan.c: s/missaligned/misaligned/
lib/ubsan: add type mismatch handler for new GCC/Clang
btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
objtool: Fix switch-table detection
arm64: dts: marvell: add Ethernet aliases
drm/i915: Avoid PPS HW/SW state mismatch due to rounding
ACPI: sbshc: remove raw pointer from printk() message
acpi, nfit: fix register dimm error handling
ovl: fix failure to fsync lower dir
ovl: take mnt_want_write() for removing impure xattr
mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
devpts: fix error handling in devpts_mntget()
ftrace: Remove incorrect setting of glob search field
scsi: core: Ensure that the SCSI error handler gets woken up
rcu: Export init_rcu_head() and destroy_rcu_head() to GPL modules
scsi: lpfc: Fix crash after bad bar setup on driver attachment
scsi: cxlflash: Reset command ioasc
Linux 4.14.20
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Eric Biggers
|
2f00eb2790 |
crypto: hash - prevent using keyed hashes without setting key
commit 9fa68f620041be04720d0cbfb1bd3ddfc6310b24 upstream.
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
8d906d183b |
crypto: hash - annotate algorithms taking optional key
commit a208fa8f33031b9e0aba44c7d1b7e68eb0cbd29e upstream. We need to consistently enforce that keyed hashes cannot be used without setting the key. To do this we need a reliable way to determine whether a given hash algorithm is keyed or not. AF_ALG currently does this by checking for the presence of a ->setkey() method. However, this is actually slightly broken because the CRC-32 algorithms implement ->setkey() but can also be used without a key. (The CRC-32 "key" is not actually a cryptographic key but rather represents the initial state. If not overridden, then a default initial state is used.) Prepare to fix this by introducing a flag CRYPTO_ALG_OPTIONAL_KEY which indicates that the algorithm has a ->setkey() method, but it is not required to be called. Then set it on all the CRC-32 algorithms. The same also applies to the Adler-32 implementation in Lustre. Also, the cryptd and mcryptd templates have to pass through the flag from their underlying algorithm. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
b806c0cc4c |
crypto: poly1305 - remove ->setkey() method
commit a16e772e664b9a261424107784804cffc8894977 upstream. Since Poly1305 requires a nonce per invocation, the Linux kernel implementations of Poly1305 don't use the crypto API's keying mechanism and instead expect the key and nonce as the first 32 bytes of the data. But ->setkey() is still defined as a stub returning an error code. This prevents Poly1305 from being used through AF_ALG and will also break it completely once we start enforcing that all crypto API users (not just AF_ALG) call ->setkey() if present. Fix it by removing crypto_poly1305_setkey(), leaving ->setkey as NULL. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
16210524c4 |
crypto: mcryptd - pass through absence of ->setkey()
commit fa59b92d299f2787e6bae1ff078ee0982e80211f upstream. When the mcryptd template is used to wrap an unkeyed hash algorithm, don't install a ->setkey() method to the mcryptd instance. This change is necessary for mcryptd to keep working with unkeyed hash algorithms once we start enforcing that ->setkey() is called when present. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
ed7b0af0ca |
crypto: cryptd - pass through absence of ->setkey()
commit 841a3ff329713f796a63356fef6e2f72e4a3f6a3 upstream. When the cryptd template is used to wrap an unkeyed hash algorithm, don't install a ->setkey() method to the cryptd instance. This change is necessary for cryptd to keep working with unkeyed hash algorithms once we start enforcing that ->setkey() is called when present. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
b8b32e2e68 |
crypto: hash - introduce crypto_hash_alg_has_setkey()
commit cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba upstream. Templates that use an shash spawn can use crypto_shash_alg_has_setkey() to determine whether the underlying algorithm requires a key or not. But there was no corresponding function for ahash spawns. Add it. Note that the new function actually has to support both shash and ahash algorithms, since the ahash API can be used with either. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
fb6faf0423 |
This is the 4.14.19 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqCrbkACgkQONu9yGCS aT5xyRAAgfkFRW7sAiH5wiXmwSPE7sz/HHvhYRevUHTgODMDi19YDcy6Zjq2NMaU zsg6Bi+b11QZ77g0ctnxHDfo6snqwBkrapbO9ddnsZtWB6eTcD9o2Mhd82I5Trj6 4EQcq+fQGoPPPVvRCnuVk+HInfovgBV5DhTGxC2qX6KOrbDh0QF/43mlWf7H8eXb HJ7ot9Xpsg7AjzpCJfqQGoDFB2a/ThXMftXwcxHNWdiVqjzWXuZfwUh1gqV4afl1 x418+HUGUHvHGB6nLUCKrsewVpczLB3IQYe6+AQ1n9W/mK6IEZyDvRD7tuJ0BkMC YR5hjesKT7U6fUL1lbfPBXcHpbQLUEYeqz6S0St5MvkzmJq9TimVcNwgXwB75sQs PECdOzrojNtJuZx+n3ReocrpWQzvBQ3Xt5odE5qqvIepXj7CnRiJfg2vsTNW0A6K KNT+mdzno36Te6nDMXKiMUnH8IRjwwXk7zveI6daYN0FZE++gvoyEhOeF3bUAcpR UQYj8pgLuwFUNm22JcGHQhTudMv2z9Ulv5zsylwkU3CuS8wMTS6O4JrwX0IfOIkj c4Ta/6w+bNC63WKboAyGlwwbZy+Xll8+3NMoFx6TsEytcnowyqli1bP0kDONMXQR O5kMzZJ6elSOwZjk7Q0IZ7sdV3lKTIj4Fxh0UN4yu1JxHyDvops= =gY6O -----END PGP SIGNATURE----- Merge 4.14.19 into android-4.14 Changes in 4.14.19 .gitignore: sort normal pattern rules alphabetically .gitignore: move *.dtb and *.dtb.S patterns to the top-level .gitignore kbuild: rpm-pkg: keep spec file until make mrproper ip6mr: fix stale iterator net: igmp: add a missing rcu locking section qlcnic: fix deadlock bug qmi_wwan: Add support for Quectel EP06 r8169: fix RTL8168EP take too long to complete driver initialization. tcp: release sk_frag.page in tcp_disconnect vhost_net: stop device during reset owner Revert "defer call to mem_cgroup_sk_alloc()" net: ipv6: send unsolicited NA after DAD rocker: fix possible null pointer dereference in rocker_router_fib_event_work tcp_bbr: fix pacing_gain to always be unity when using lt_bw ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only soreuseport: fix mem leak in reuseport_add_sock() media: mtk-vcodec: add missing MODULE_LICENSE/DESCRIPTION media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE crypto: tcrypt - fix S/G table for test_aead_speed() arch: define weak abort() kernel/exit.c: export abort() to modules scsi: storvsc: missing error code in storvsc_probe() Revert "x86/alternative: Print unadorned pointers" Linux 4.14.19 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Robert Baronescu
|
3a570cfe78 |
crypto: tcrypt - fix S/G table for test_aead_speed()
commit 5c6ac1d4f8fbdbed65dbeb8cf149d736409d16a1 upstream. In case buffer length is a multiple of PAGE_SIZE, the S/G table is incorrectly generated. Fix this by handling buflen = k * PAGE_SIZE separately. Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Horia Geantă <horia.geanta@nxp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
faeb94c01f |
This is the 4.14.17 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlp15cgACgkQONu9yGCS aT7HLRAAvNpaT9FzyWLq2w88ZY/I0jBAQeREPbdPVma/FWUPwgTwazkvPto7x3ys 11jmujbg5XDhZjlwAyJ1sGUVQrMoP2/2o069MCUz237z0ruDLpEWrbGWDoK3TjNz 84w0nuDydBpgUg5YZl9qAdaoBCsngQHa6RtN0ISHIYlSOW5F2X+LClH037bGihzx gPSL3vqjKbjMLJ+FRr4M4IFrSbhIcZAbWgU+K2g/yZ1ox+jN21dGlf2zuqCnKxNM ifqpzFu1xTJtm24Jd0S6+hQXJs4CEBsTR+4KFxIREUQFLIMEK/8DGJGNHLEKlNRv Ug6FTliLU/GPJm5ZY3a13zjvvW4+Nz5CDH8u1V0WUjgwdblUR6QOttw/fBwjJkEQ rmK+e4vOyyG0rvii3SbiMW2Keo8c2A+Q4wMJT4JbO/NdH73q+VfxgQWKfwdrlovw 1Eq15zo1MPapKAc3ELxloKyDSJQ+pFM6jtBZBAkTkGnXvBvyVZ7quqMBByxnOhS/ cQULbgVlUcOF2zZDKClyo9R/kwS6iMfHPp6IuLaBmkgL81PG8hnuxZehBj3ElC2l uQblPTrOkqiowyvZJZ4VaiSkTczuijqtgXNAqKGXkvqdhb4fQIwQSV77JoC/7BAd SbBSMJ2T86+U7rhP8y1EDCU9GPQia3yW4FQGXEDA8Jq9Tak0PMg= =83+R -----END PGP SIGNATURE----- Merge 4.14.17 into android-4.14 Changes in 4.14.17 futex: Fix OWNER_DEAD fixup loop: fix concurrent lo_open/lo_release KVM: x86: Fix CPUID function for word 6 (80000001_ECX) tools/gpio: Fix build error with musl libc gpio: stmpe: i2c transfer are forbiden in atomic context gpio: Fix kernel stack leak to userspace ALSA: hda - Reduce the suspend time consumption for ALC256 crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH crypto: aesni - handle zero length dst buffer crypto: aesni - fix typo in generic_gcmaes_decrypt crypto: gcm - add GCM IV size constant crypto: aesni - Use GCM IV size constant crypto: aesni - add wrapper for generic gcm(aes) crypto: aesni - Fix out-of-bounds access of the data buffer in generic-gcm-aesni crypto: aesni - Fix out-of-bounds access of the AAD buffer in generic-gcm-aesni crypto: inside-secure - fix hash when length is a multiple of a block crypto: inside-secure - avoid unmapping DMA memory that was not mapped crypto: sha3-generic - fixes for alignment and big endian operation crypto: af_alg - whitelist mask and type HID: wacom: EKR: ensure devres groups at higher indexes are released HID: wacom: Fix reporting of touch toggle (WACOM_HID_WD_MUTE_DEVICE) events power: reset: zx-reboot: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE gpio: iop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE gpio: ath79: add missing MODULE_DESCRIPTION/LICENSE mtd: nand: denali_pci: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE igb: Free IRQs when device is hotplugged ima/policy: fix parsing of fsuuid scsi: aacraid: Fix udev inquiry race condition scsi: aacraid: Fix hang in kdump VFS: Handle lazytime in do_mount() drm/vc4: Account for interrupts in flight btrfs: Fix transaction abort during failure in btrfs_rm_dev_item Btrfs: bail out gracefully rather than BUG_ON cpupowerutils: bench - Fix cpu online check cpupower : Fix cpupower working when cpu0 is offline KVM: nVMX/nSVM: Don't intercept #UD when running L2 KVM: x86: emulator: Return to user-mode on L1 CPL=0 emulation failure KVM: x86: Don't re-execute instruction when not passing CR2 value KVM: X86: Fix operand/address-size during instruction decoding KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure KVM: x86: fix em_fxstor() sleeping while in atomic KVM: x86: ioapic: Fix level-triggered EOI and IOAPIC reconfigure race KVM: x86: ioapic: Clear Remote IRR when entry is switched to edge-triggered KVM: x86: ioapic: Preserve read-only values in the redirection table KVM: nVMX: Fix vmx_check_nested_events() return value in case an event was reinjected to L2 nvme-fabrics: introduce init command check for a queue that is not alive nvme-fc: check if queue is ready in queue_rq nvme-loop: check if queue is ready in queue_rq nvme-pci: disable APST on Samsung SSD 960 EVO + ASUS PRIME B350M-A nvme-pci: avoid hmb desc array idx out-of-bound when hmmaxd set. nvmet-fc: correct ref counting error when deferred rcv used s390/topology: fix compile error in file arch/s390/kernel/smp.c s390/zcrypt: Fix wrong comparison leading to strange load balancing ACPI / bus: Leave modalias empty for devices which are not present cpufreq: Add Loongson machine dependencies null_blk: fix dev->badblocks leak s390: fix alloc_pgste check in init_new_context again rxrpc: The mutex lock returned by rxrpc_accept_call() needs releasing rxrpc: Provide a different lockdep key for call->user_mutex for kernel calls rxrpc: Fix service endpoint expiry bcache: check return value of register_shrinker drm/amdgpu: Fix SDMA load/unload sequence on HWS disabled mode drm/amdkfd: Fix SDMA ring buffer size calculation drm/amdkfd: Fix SDMA oversubsription handling uapi: fix linux/kfd_ioctl.h userspace compilation errors nvme-rdma: don't complete requests before a send work request has completed openvswitch: fix the incorrect flow action alloc size drm/rockchip: dw-mipi-dsi: fix possible un-balanced runtime PM enable mac80211: use QoS NDP for AP probing mac80211: fix the update of path metric for RANN frame btrfs: fix deadlock when writing out space cache sctp: only allow the asoc reset when the asoc outq is empty sctp: avoid flushing unsent queue when doing asoc reset sctp: set sender next_tsn for the old result with ctsn_ack_point plus 1 reiserfs: remove unneeded i_version bump KVM: X86: Fix softlockup when get the current kvmclock KVM: VMX: Fix rflags cache during vCPU reset Btrfs: fix list_add corruption and soft lockups in fsync KVM: Let KVM_SET_SIGNAL_MASK work as advertised xfs: always free inline data before resetting inode fork during ifree xfs: log recovery should replay deferred ops in order i2c: i2c-boardinfo: fix memory leaks on devinfo xen-netfront: remove warning when unloading module auxdisplay: img-ascii-lcd: Only build on archs that have IOMEM nfsd: CLOSE SHOULD return the invalid special stateid for NFSv4.x (x>0) nfsd: Ensure we check stateid validity in the seqid operation checks grace: replace BUG_ON by WARN_ONCE in exit_net hook nfsd: check for use of the closed special stateid race of lockd inetaddr notifiers vs nlmsvc_rqst change lockd: fix "list_add double add" caused by legacy signal interface hwmon: (pmbus) Use 64bit math for DIRECT format values quota: propagate error from __dquot_initialize net: mvpp2: fix the txq_init error path net: phy: marvell10g: fix the PHY id mask bnxt_en: Fix an error handling path in 'bnxt_get_module_eeprom()' Btrfs: incremental send, fix wrong unlink path after renaming file nvme-pci: fix NULL pointer dereference in nvme_free_host_mem() xfs: fortify xfs_alloc_buftarg error handling drm/amdgpu: don't try to move pinned BOs net: ethernet: xilinx: Mark XILINX_LL_TEMAC broken on 64-bit quota: Check for register_shrinker() failure. SUNRPC: Allow connect to return EHOSTUNREACH scripts/faddr2line: extend usage on generic arch kmemleak: add scheduling point to kmemleak_scan() drm/bridge: Fix lvds-encoder since the panel_bridge rework. drm/bridge: tc358767: do no fail on hi-res displays drm/bridge: tc358767: filter out too high modes drm/bridge: tc358767: fix DP0_MISC register set drm/bridge: tc358767: fix timing calculations drm/bridge: tc358767: fix AUXDATAn registers access drm/bridge: tc358767: fix 1-lane behavior drm/omap: Fix error handling path in 'omap_dmm_probe()' drm/omap: displays: panel-dpi: add backlight dependency xfs: ubsan fixes xfs: Properly retry failed dquot items in case of error during buffer writeback perf/core: Fix memory leak triggered by perf --namespace scsi: aacraid: Prevent crash in case of free interrupt during scsi EH path scsi: ufs: ufshcd: fix potential NULL pointer dereference in ufshcd_config_vreg iwlwifi: mvm: fix the TX queue hang timeout for MONITOR vif type iwlwifi: fix access to prph when transport is stopped ARM: dts: NSP: Disable AHCI controller for HR NSP boards ARM: dts: NSP: Fix PPI interrupt types media: usbtv: add a new usbid x86/xen: Support early interrupts in xen pv guests usb: gadget: don't dereference g until after it has been null checked staging: rtl8188eu: Fix incorrect response to SIOCGIWESSID drm/vc4: Move IRQ enable to PM path KVM: x86: emulate #UD while in guest mode staging: lustre: separate a connection destroy from free struct kib_conn staging: ccree: NULLify backup_info when unused staging: ccree: fix fips event irq handling build tty: fix data race between tty_init_dev and flush of buf usb: option: Add support for FS040U modem USB: serial: pl2303: new device id for Chilitag USB: cdc-acm: Do not log urb submission errors on disconnect CDC-ACM: apply quirk for card reader USB: serial: io_edgeport: fix possible sleep-in-atomic usbip: prevent bind loops on devices attached to vhci_hcd usbip: list: don't list devices attached to vhci_hcd USB: serial: simple: add Motorola Tetra driver usb: f_fs: Prevent gadget unbind if it is already unbound usb: uas: unconditionally bring back host after reset usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc() ANDROID: binder: remove waitqueue when thread exits. android: binder: use VM_ALLOC to get vm area mei: me: allow runtime pm for platform with D0i3 serial: 8250_of: fix return code when probe function fails to get reset serial: 8250_uniphier: fix error return code in uniphier_uart_probe() serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS spi: imx: do not access registers while clocks disabled iio: adc: stm32: fix scan of multiple channels with DMA iio: chemical: ccs811: Fix output of IIO_CONCENTRATION channels test_firmware: fix missing unlock on error in config_num_requests_store() Input: synaptics-rmi4 - unmask F03 interrupts when port is opened Input: synaptics-rmi4 - do not delete interrupt memory too early x86/efi: Clarify that reset attack mitigation needs appropriate userspace Linux 4.14.17 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Stephan Mueller
|
f41c8a0031 |
crypto: af_alg - whitelist mask and type
commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream. The user space interface allows specifying the type and mask field used to allocate the cipher. Only a subset of the possible flags are intended for user space. Therefore, white-list the allowed flags. In case the user space caller uses at least one non-allowed flag, EINVAL is returned. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Stephan Mueller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Ard Biesheuvel
|
b9788e278c |
crypto: sha3-generic - fixes for alignment and big endian operation
commit c013cee99d5a18aec8c71fee8f5f41369cd12595 upstream.
Ensure that the input is byte swabbed before injecting it into the
SHA3 transform. Use the get_unaligned() accessor for this so that
we don't perform unaligned access inadvertently on architectures
that do not support that.
Fixes: 53964b9ee63b7075 ("crypto: sha3 - Add SHA-3 hash algorithm")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Hauke Mehrtens
|
2992182765 |
crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH
commit b5b9007730ce1d90deaf25d7f678511550744bdc upstream.
This fixes a typo in the CRYPTO_KPP dependency of CRYPTO_ECDH.
Fixes: 3c4b23901a0c ("crypto: ecdh - Add ECDH software support")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
9b68347c35 |
This is the 4.14.14 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlpfDSoACgkQONu9yGCS aT563hAAhqP/PoKahVzW1NiRRuLHLtLJTQZt5urQUTppfUOOHDXPt5CqyrtnJQEX LZjGnMTNonsMM4XLI7WhqF+UfPImjwghYBn9pG+0dAoa/C5unPD8qp8NHkH7BFhU w+5VJtteKYJ6OKpPD5p5pd4oYzMki3j+t20/yf8QXFzrYtG/gtEOCTrpJmBE0E6g 0m+fSvoq0wR6HTgqPE9We2fHU4yCYCzAZLhfqZlTeIf4wlFXZOheD/9GnwgeAlqx M8ak06gA0Z33xg55ZYk/eYg+rW2gzc1zdS7mSxSwKXJLSftfz5AGruy6m3xurRdJ KBzQ7oSNbzvBlR+hFmaM9RD0YIAl5+N+g1/5P5ugdWl5JHYoFBXinq8irkZfD72b 6iqtJ1BJ53iQbw5xi1wLSaK1WcRulFx/EY4euC2GjezxsMLvuAwMOCqwownl5xaz k2NkGu9qQh/ELZWW6kIw1EvVCk9cjt+8fd+ELUQyahXOD3fpzeeNVRPj70aM0AHS kqkvi6MiHxV+Y+CV/horE3NZbgu7r6FrIG1OOi/w7LnQb0Yk0fLMHoD8cUBbjUY2 xu7JtYPoCreh1Hgo427CkvC8W6oCKREtoMbFCwPtSVQcXtfrN5Risge/OqE0X9GD jFIvW6p6HWhzEpA7afpXk45q58tBnNujvmACGTl93QrTz7in71I= =k2ZH -----END PGP SIGNATURE----- Merge 4.14.14 into android-4.14 Changes in 4.14.14 dm bufio: fix shrinker scans when (nr_to_scan < retain_target) KVM: Fix stack-out-of-bounds read in write_mmio can: vxcan: improve handling of missing peer name attribute can: gs_usb: fix return value of the "set_bittiming" callback IB/srpt: Disable RDMA access by the initiator IB/srpt: Fix ACL lookup during login MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task MIPS: Factor out NT_PRFPREG regset access helpers MIPS: Guard against any partial write attempt with PTRACE_SETREGSET MIPS: Consistently handle buffer counter with PTRACE_SETREGSET MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC kvm: vmx: Scrub hardware GPRs at VM-exit platform/x86: wmi: Call acpi_wmi_init() later iw_cxgb4: only call the cq comp_handler when the cq is armed iw_cxgb4: atomically flush the qp iw_cxgb4: only clear the ARMED bit if a notification is needed iw_cxgb4: reflect the original WR opcode in drain cqes iw_cxgb4: when flushing, complete all wrs in a chain x86/acpi: Handle SCI interrupts above legacy space gracefully ALSA: pcm: Remove incorrect snd_BUG_ON() usages ALSA: pcm: Workaround for weird PulseAudio behavior on rewind error ALSA: pcm: Add missing error checks in OSS emulation plugin builder ALSA: pcm: Abort properly at pending signal in OSS read/write loops ALSA: pcm: Allow aborting mutex lock at OSS read/write loops ALSA: aloop: Release cable upon open error path ALSA: aloop: Fix inconsistent format due to incomplete rule ALSA: aloop: Fix racy hw constraints adjustment x86/acpi: Reduce code duplication in mp_override_legacy_irq() 8021q: fix a memory leak for VLAN 0 device ip6_tunnel: disable dst caching if tunnel is dual-stack net: core: fix module type in sock_diag_bind phylink: ensure we report link down when LOS asserted RDS: Heap OOB write in rds_message_alloc_sgs() RDS: null pointer dereference in rds_atomic_free_op net: fec: restore dev_id in the cases of probe error net: fec: defer probe if regulator is not ready net: fec: free/restore resource in related probe error pathes sctp: do not retransmit upon FragNeeded if PMTU discovery is disabled sctp: fix the handling of ICMP Frag Needed for too small MTUs sh_eth: fix TSU resource handling net: stmmac: enable EEE in MII, GMII or RGMII only sh_eth: fix SH7757 GEther initialization ipv6: fix possible mem leaks in ipv6_make_skb() ethtool: do not print warning for applications using legacy API mlxsw: spectrum_router: Fix NULL pointer deref net/sched: Fix update of lastuse in act modules implementing stats_update ipv6: sr: fix TLVs not being copied using setsockopt mlxsw: spectrum: Relax sanity checks during enslavement sfp: fix sfp-bus oops when removing socket/upstream membarrier: Disable preemption when calling smp_call_function_many() crypto: algapi - fix NULL dereference in crypto_remove_spawns() mmc: renesas_sdhi: Add MODULE_LICENSE rbd: reacquire lock should update lock owner client id rbd: set max_segments to USHRT_MAX iwlwifi: pcie: fix DMA memory mapping / unmapping x86/microcode/intel: Extend BDW late-loading with a revision check KVM: x86: Add memory barrier on vmcs field lookup KVM: PPC: Book3S PR: Fix WIMG handling under pHyp KVM: PPC: Book3S HV: Drop prepare_done from struct kvm_resize_hpt KVM: PPC: Book3S HV: Fix use after free in case of multiple resize requests KVM: PPC: Book3S HV: Always flush TLB in kvmppc_alloc_reset_hpt() drm/vmwgfx: Don't cache framebuffer maps drm/vmwgfx: Potential off by one in vmw_view_add() drm/i915/gvt: Clear the shadow page table entry after post-sync drm/i915: Whitelist SLICE_COMMON_ECO_CHICKEN1 on Geminilake. drm/i915: Move init_clock_gating() back to where it was drm/i915: Fix init_clock_gating for resume bpf: prevent out-of-bounds speculation bpf, array: fix overflow in max_entries and undefined behavior in index_mask bpf: arsh is not supported in 32 bit alu thus reject it USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ USB: serial: cp210x: add new device ID ELV ALC 8xxx usb: misc: usb3503: make sure reset is low for at least 100us USB: fix usbmon BUG trigger USB: UDC core: fix double-free in usb_add_gadget_udc_release usbip: remove kernel addresses from usb device and urb debug msgs usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Bluetooth: Prevent stack info leak from the EFS element. uas: ignore UAS for Norelsys NS1068(X) chips mux: core: fix double get_device() kdump: write correct address of mem_section into vmcoreinfo apparmor: fix ptrace label match when matching stacked labels e1000e: Fix e1000_check_for_copper_link_ich8lan return value. x86/pti: Unbreak EFI old_memmap x86/Documentation: Add PTI description x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] sysfs/cpu: Add vulnerability folder x86/cpu: Implement CPU vulnerabilites sysfs functions x86/tboot: Unbreak tboot with PTI enabled x86/mm/pti: Remove dead logic in pti_user_pagetable_walk*() x86/cpu/AMD: Make LFENCE a serializing instruction x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC sysfs/cpu: Fix typos in vulnerability documentation x86/alternatives: Fix optimize_nops() checking x86/pti: Make unpoison of pgd for trusted boot work for real objtool: Detect jumps to retpoline thunks objtool: Allow alternatives to be ignored x86/retpoline: Add initial retpoline support x86/spectre: Add boot time option to select Spectre v2 mitigation x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline: Fill return stack buffer on vmexit selftests/x86: Add test_vsyscall x86/pti: Fix !PCID and sanitize defines security/Kconfig: Correct the Documentation reference for PTI x86,perf: Disable intel_bts when PTI x86/retpoline: Remove compile time warning Linux 4.14.14 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Biggers
|
3662493dbd |
crypto: algapi - fix NULL dereference in crypto_remove_spawns()
commit 9a00674213a3f00394f4e3221b88f2d21fc05789 upstream. syzkaller triggered a NULL pointer dereference in crypto_remove_spawns() via a program that repeatedly and concurrently requests AEADs "authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)" through AF_ALG, where the hashes are requested as "untested" (CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this causes the template to be instantiated for every request). Although AF_ALG users really shouldn't be able to request an "untested" algorithm, the NULL pointer dereference is actually caused by a longstanding race condition where crypto_remove_spawns() can encounter an instance which has had spawn(s) "grabbed" but hasn't yet been registered, resulting in ->cra_users still being NULL. We probably should properly initialize ->cra_users earlier, but that would require updating many templates individually. For now just fix the bug in a simple way that can easily be backported: make crypto_remove_spawns() treat a NULL ->cra_users list as empty. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Jaegeuk Kim
|
a53dc75af2 |
fscrypt: updates on 4.15-rc4
Cherry-picked from origin/upstream-f2fs-stable-linux-4.14.y: 9d468a2b52d1 Revert "locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()" 13b237d115a5 fscrypt: move to generic async completion a2985b1c98e5 crypto: introduce crypto wait for async op 4bb665c7e388 locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE() 249c90416bcf fscrypt: new helper function - fscrypt_prepare_setattr() 91d09c052132 fscrypt: new helper function - fscrypt_prepare_lookup() 9a24d618cb8a fscrypt: new helper function - fscrypt_prepare_rename() 4bd6179f5211 fscrypt: new helper function - fscrypt_prepare_link() b811faac6371 fscrypt: new helper function - fscrypt_file_open() e9f57e3771ba fscrypt: new helper function - fscrypt_require_key() b31ee2e1280e fscrypt: remove unneeded empty fscrypt_operations structs 82cbed4cdc5e fscrypt: remove ->is_encrypted() 2edb5df148b3 fscrypt: switch from ->is_encrypted() to IS_ENCRYPTED() cde1fbb02dbf fs, fscrypt: add an S_ENCRYPTED inode flag 8ec05db2542c fscrypt: clean up include file mess Change-Id: I8980613b8d5ffedf72ef2c91e1ae2eebb521ae19 Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> |
||
|
Eric Biggers
|
7156c794b8 |
crypto: pcrypt - fix freeing pcrypt instances
commit d76c68109f37cb85b243a1cf0f40313afd2bae68 upstream.
pcrypt is using the old way of freeing instances, where the ->free()
method specified in the 'struct crypto_template' is passed a pointer to
the 'struct crypto_instance'. But the crypto_instance is being
kfree()'d directly, which is incorrect because the memory was actually
allocated as an aead_instance, which contains the crypto_instance at a
nonzero offset. Thus, the wrong pointer was being kfree()'d.
Fix it by switching to the new way to free aead_instance's where the
->free() method is specified in the aead_instance itself.
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
9c36498f74 |
crypto: chacha20poly1305 - validate the digest size
commit e57121d08c38dabec15cf3e1e2ad46721af30cae upstream.
If the rfc7539 template was instantiated with a hash algorithm with
digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
subsequent memory, including 'cryptlen'. This caused a crash during
crypto_skcipher_decrypt().
Fix it by, when instantiating the template, requiring that the
underlying hash algorithm has the digest size expected for Poly1305.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "rfc7539(chacha20,sha256)",
};
unsigned char buf[32] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
reqfd = accept(algfd, 0, 0);
write(reqfd, buf, 16);
read(reqfd, buf, 16);
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stephan Mueller
|
f09fca41e2 |
crypto: af_alg - fix race accessing cipher request
commit d53c5135792319e095bb126bc43b2ee98586f7fe upstream.
When invoking an asynchronous cipher operation, the invocation of the
callback may be performed before the subsequent operations in the
initial code path are invoked. The callback deletes the cipher request
data structure which implies that after the invocation of the
asynchronous cipher operation, this data structure must not be accessed
any more.
The setting of the return code size with the request data structure must
therefore be moved before the invocation of the asynchronous cipher
operation.
Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stephan Mueller
|
c692698ebe |
crypto: af_alg - wait for data at beginning of recvmsg
commit 11edb555966ed2c66c533d17c604f9d7e580a829 upstream.
The wait for data is a non-atomic operation that can sleep and therefore
potentially release the socket lock. The release of the socket lock
allows another thread to modify the context data structure. The waiting
operation for new data therefore must be called at the beginning of
recvmsg. This prevents a race condition where checks of the members of
the context data structure are performed by recvmsg while there is a
potential for modification of these values.
Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Sebastian Andrzej Siewior
|
88990591f0 |
crypto: mcryptd - protect the per-CPU queue with a lock
commit 9abffc6f2efe46c3564c04312e52e07622d40e51 upstream. mcryptd_enqueue_request() grabs the per-CPU queue struct and protects access to it with disabled preemption. Then it schedules a worker on the same CPU. The worker in mcryptd_queue_worker() guards access to the same per-CPU variable with disabled preemption. If we take CPU-hotplug into account then it is possible that between queue_work_on() and the actual invocation of the worker the CPU goes down and the worker will be scheduled on _another_ CPU. And here the preempt_disable() protection does not work anymore. The easiest thing is to add a spin_lock() to guard access to the list. Another detail: mcryptd_queue_worker() is not processing more than MCRYPTD_BATCH invocation in a row. If there are still items left, then it will invoke queue_work() to proceed with more later. *I* would suggest to simply drop that check because it does not use a system workqueue and the workqueue is already marked as "CPU_INTENSIVE". And if preemption is required then the scheduler should do it. However if queue_work() is used then the work item is marked as CPU unbound. That means it will try to run on the local CPU but it may run on another CPU as well. Especially with CONFIG_DEBUG_WQ_FORCE_RR_CPU=y. Again, the preempt_disable() won't work here but lock which was introduced will help. In order to keep work-item on the local CPU (and avoid RR) I changed it to queue_work_on(). Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
29082870f5 |
crypto: skcipher - set walk.iv for zero-length inputs
commit 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 upstream.
All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
before checking whether any bytes need to be processed (walk.nbytes).
But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
and the algorithms crash trying to use the uninitialized IV pointer.
Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it
for the AEAD walk functions.
This isn't a perfect solution because we can't actually align the IV to
->cra_alignmask unless there are bytes to process, for one because the
temporary buffer for the aligned IV is freed by skcipher_walk_done(),
which is only called when there are bytes to process. Thus, algorithms
that require aligned IVs will still need to avoid accessing the IV when
walk.nbytes == 0. Still, many algorithms/architectures are fine with
IVs having any alignment, and even for those that aren't, a misaligned
pointer bug is much less severe than an uninitialized pointer bug.
This change also matches the behavior of the older blkcipher_walk API.
Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Christophe Jaillet
|
bd51398957 |
crypto: lrw - Fix an error handling path in 'create()'
[ Upstream commit 616129cc6e75fb4da6681c16c981fa82dfe5e4c7 ]
All error handling paths 'goto err_drop_spawn' except this one.
In order to avoid some resources leak, we should do it as well here.
Fixes: 700cb3f5fe75 ("crypto: lrw - Convert to skcipher")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Robert Baronescu
|
6479a108b3 |
crypto: tcrypt - fix buffer lengths in test_aead_speed()
[ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ] Fix the way the length of the buffers used for encryption / decryption are computed. For e.g. in case of encryption, input buffer does not contain an authentication tag. Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Biggers
|
cf1048e46d |
crypto: af_alg - fix NULL pointer dereference in
commit 887207ed9e5812ed9239b6d07185a2d35dda91db upstream.
af_alg_free_areq_sgls()
If allocating the ->tsgl member of 'struct af_alg_async_req' failed,
during cleanup we dereferenced the NULL ->tsgl pointer in
af_alg_free_areq_sgls(), because ->tsgl_entries was nonzero.
Fix it by only freeing the ->tsgl list if it is non-NULL.
This affected both algif_skcipher and algif_aead.
Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
c68b31521d |
crypto: salsa20 - fix blkcipher_walk API usage
commit ecaaab5649781c5a0effdaf298a925063020500e upstream.
When asked to encrypt or decrypt 0 bytes, both the generic and x86
implementations of Salsa20 crash in blkcipher_walk_done(), either when
doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
because walk->buffer and walk->page have not been initialized.
The bug is that Salsa20 is calling blkcipher_walk_done() even when
nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
be called when a nonzero number of bytes have been provided.
The broken code is part of an optimization that tries to make only one
call to salsa20_encrypt_bytes() to process inputs that are not evenly
divisible by 64 bytes. To fix the bug, just remove this "optimization"
and use the blkcipher_walk API the same way all the other users do.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "salsa20",
};
char key[16] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
reqfd = accept(algfd, 0, 0);
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
read(reqfd, key, sizeof(key));
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
902ae89f84 |
crypto: hmac - require that the underlying hash algorithm is unkeyed
commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream.
Because the HMAC template didn't check that its underlying hash
algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
being used without having been keyed, resulting in sha3_update() being
called without sha3_init(), causing a stack buffer overflow.
This is a very old bug, but it seems to have only started causing real
problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
because the innermost hash's state is ->import()ed from a zeroed buffer,
and it just so happens that other hash algorithms are fine with that,
but SHA-3 is not. However, there could be arch or hardware-dependent
hash algorithms also affected; I couldn't test everything.
Fix the bug by introducing a function crypto_shash_alg_has_setkey()
which tests whether a shash algorithm is keyed. Then update the HMAC
template to require that its underlying hash algorithm is unkeyed.
Here is a reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
int main()
{
int algfd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "hmac(hmac(sha3-512-generic))",
};
char key[4096] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
}
Here was the KASAN report from syzbot:
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memcpy+0x37/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:341 [inline]
sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
crypto_shash_update+0xcb/0x220 crypto/shash.c:109
shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
hmac_finup+0x182/0x330 crypto/hmac.c:152
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
hmac_setkey+0x36a/0x690 crypto/hmac.c:66
crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
shash_async_setkey+0x47/0x60 crypto/shash.c:207
crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
hash_setkey+0x40/0x90 crypto/algif_hash.c:446
alg_setkey crypto/af_alg.c:221 [inline]
alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
80dbdc5ae7 |
crypto: rsa - fix buffer overread when stripping leading zeroes
commit d2890c3778b164fde587bc16583f3a1c87233ec5 upstream.
In rsa_get_n(), if the buffer contained all 0's and "FIPS mode" is
enabled, we would read one byte past the end of the buffer while
scanning the leading zeroes. Fix it by checking 'n_sz' before '!*ptr'.
This bug was reachable by adding a specially crafted key of type
"asymmetric" (requires CONFIG_RSA and CONFIG_X509_CERTIFICATE_PARSER).
KASAN report:
BUG: KASAN: slab-out-of-bounds in rsa_get_n+0x19e/0x1d0 crypto/rsa_helper.c:33
Read of size 1 at addr ffff88003501a708 by task keyctl/196
CPU: 1 PID: 196 Comm: keyctl Not tainted 4.14.0-09238-g1d3b78bbc6e9 #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
Call Trace:
rsa_get_n+0x19e/0x1d0 crypto/rsa_helper.c:33
asn1_ber_decoder+0x82a/0x1fd0 lib/asn1_decoder.c:328
rsa_set_pub_key+0xd3/0x320 crypto/rsa.c:278
crypto_akcipher_set_pub_key ./include/crypto/akcipher.h:364 [inline]
pkcs1pad_set_pub_key+0xae/0x200 crypto/rsa-pkcs1pad.c:117
crypto_akcipher_set_pub_key ./include/crypto/akcipher.h:364 [inline]
public_key_verify_signature+0x270/0x9d0 crypto/asymmetric_keys/public_key.c:106
x509_check_for_self_signed+0x2ea/0x480 crypto/asymmetric_keys/x509_public_key.c:141
x509_cert_parse+0x46a/0x620 crypto/asymmetric_keys/x509_cert_parser.c:129
x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0x96
Allocated by task 196:
__do_kmalloc mm/slab.c:3711 [inline]
__kmalloc_track_caller+0x118/0x2e0 mm/slab.c:3726
kmemdup+0x17/0x40 mm/util.c:118
kmemdup ./include/linux/string.h:414 [inline]
x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0x96
Fixes: 5a7de97309f5 ("crypto: rsa - return raw integers for the ASN.1 parser")
Cc: Tudor Ambarus <tudor-dan.ambarus@nxp.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
96c2dfaebe |
crypto: algif_aead - fix reference counting of null skcipher
commit b32a7dc8aef1882fbf983eb354837488cc9d54dc upstream.
In the AEAD interface for AF_ALG, the reference to the "null skcipher"
held by each tfm was being dropped in the wrong place -- when each
af_alg_ctx was freed instead of when the aead_tfm was freed. As
discovered by syzkaller, a specially crafted program could use this to
cause the null skcipher to be freed while it is still in use.
Fix it by dropping the reference in the right place.
Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
70feeaaabf |
X.509: fix comparisons of ->pkey_algo
commit 54c1fb39fe0495f846539ab765925b008f86801c upstream.
->pkey_algo used to be an enum, but was changed to a string by commit
4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum"). But
two comparisons were not updated. Fix them to use strcmp().
This bug broke signature verification in certain configurations,
depending on whether the string constants were deduplicated or not.
Fixes: 4e8ae72a75aa ("X.509: Make algo identifiers text instead of enum")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
31b3bcc66f |
X.509: reject invalid BIT STRING for subjectPublicKey
commit 0f30cbea005bd3077bd98cd29277d7fc2699c1da upstream.
Adding a specially crafted X.509 certificate whose subjectPublicKey
ASN.1 value is zero-length caused x509_extract_key_data() to set the
public key size to SIZE_MAX, as it subtracted the nonexistent BIT STRING
metadata byte. Then, x509_cert_parse() called kmemdup() with that bogus
size, triggering the WARN_ON_ONCE() in kmalloc_slab().
This appears to be harmless, but it still must be fixed since WARNs are
never supposed to be user-triggerable.
Fix it by updating x509_cert_parse() to validate that the value has a
BIT STRING metadata byte, and that the byte is 0 which indicates that
the number of bits in the bitstring is a multiple of 8.
It would be nice to handle the metadata byte in asn1_ber_decoder()
instead. But that would be tricky because in the general case a BIT
STRING could be implicitly tagged, and/or could legitimately have a
length that is not a whole number of bytes.
Here was the WARN (cleaned up slightly):
WARNING: CPU: 1 PID: 202 at mm/slab_common.c:971 kmalloc_slab+0x5d/0x70 mm/slab_common.c:971
Modules linked in:
CPU: 1 PID: 202 Comm: keyctl Tainted: G B 4.14.0-09238-g1d3b78bbc6e9 #26
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
task: ffff880033014180 task.stack: ffff8800305c8000
Call Trace:
__do_kmalloc mm/slab.c:3706 [inline]
__kmalloc_track_caller+0x22/0x2e0 mm/slab.c:3726
kmemdup+0x17/0x40 mm/util.c:118
kmemdup include/linux/string.h:414 [inline]
x509_cert_parse+0x2cb/0x620 crypto/asymmetric_keys/x509_cert_parser.c:106
x509_key_preparse+0x61/0x750 crypto/asymmetric_keys/x509_public_key.c:174
asymmetric_key_preparse+0xa4/0x150 crypto/asymmetric_keys/asymmetric_type.c:388
key_create_or_update+0x4d4/0x10a0 security/keys/key.c:850
SYSC_add_key security/keys/keyctl.c:122 [inline]
SyS_add_key+0xe8/0x290 security/keys/keyctl.c:62
entry_SYSCALL_64_fastpath+0x1f/0x96
Fixes: 42d5ec27f873 ("X.509: Add an ASN.1 decoder")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Ondrej Mosnáček
|
861eae231b |
crypto: skcipher - Fix skcipher_walk_aead_common
commit c14ca8386539a298c1c19b003fe55e37d0f0e89c upstream.
The skcipher_walk_aead_common function calls scatterwalk_copychunks on
the input and output walks to skip the associated data. If the AD end
at an SG list entry boundary, then after these calls the walks will
still be pointing to the end of the skipped region.
These offsets are later checked for alignment in skcipher_walk_next,
so the skcipher_walk may detect the alignment incorrectly.
This patch fixes it by calling scatterwalk_done after the copychunks
calls to ensure that the offsets refer to the right SG list entry.
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stephan Mueller
|
7f21961a2d |
crypto: af_alg - remove locking in async callback
commit 7d2c3f54e6f646887d019faa45f35d6fe9fe82ce upstream.
The code paths protected by the socket-lock do not use or modify the
socket in a non-atomic fashion. The actions pertaining the socket do not
even need to be handled as an atomic operation. Thus, the socket-lock
can be safely ignored.
This fixes a bug regarding scheduling in atomic as the callback function
may be invoked in interrupt context.
In addition, the sock_hold is moved before the AIO encrypt/decrypt
operation to ensure that the socket is always present. This avoids a
tiny race window where the socket is unprotected and yet used by the AIO
operation.
Finally, the release of resources for a crypto operation is moved into a
common function of af_alg_free_resources.
Fixes: e870456d8e7c8 ("crypto: algif_skcipher - overhaul memory management")
Fixes: d887c52d6ae43 ("crypto: algif_aead - overhaul memory management")
Reported-by: Romain Izard <romain.izard.pro@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Tested-by: Romain Izard <romain.izard.pro@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stephan Mueller
|
721872a199 |
crypto: algif_aead - skip SGL entries with NULL page
commit 8e1fa89aa8bc2870009b4486644e4a58f2e2a4f5 upstream.
The TX SGL may contain SGL entries that are assigned a NULL page. This
may happen if a multi-stage AIO operation is performed where the data
for each stage is pointed to by one SGL entry. Upon completion of that
stage, af_alg_pull_tsgl will assign NULL to the SGL entry.
The NULL cipher used to copy the AAD from TX SGL to the destination
buffer, however, cannot handle the case where the SGL starts with an SGL
entry having a NULL page. Thus, the code needs to advance the start
pointer into the SGL to the first non-NULL entry.
This fixes a crash visible on Intel x86 32 bit using the libkcapi test
suite.
Fixes: 72548b093ee38 ("crypto: algif_aead - copy AAD from src to dst")
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
5e56be0e26 |
crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
commit ccd9888f14a8019c0bbdeeae758aba1f58693712 upstream.
The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
into a buffer with size 'p_size'. However it was never checked that
that was actually the case, which most likely allowed users to cause a
buffer underflow via KEYCTL_DH_COMPUTE.
Fix this by updating crypto_dh_decode_key() to verify this precondition
for all DH implementations.
Fixes: c9839143ebbf ("crypto: qat - Add DH support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
716b9ea8c6 |
crypto: dh - Don't permit 'p' to be 0
commit 199512b1234f09e44d592153ec82b44212b2f0c4 upstream.
If 'p' is 0 for the software Diffie-Hellman implementation, then
dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes
ZERO_SIZE_PTR to be passed to sg_init_one(), which with
CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
sg_set_buf().
Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes
no sense for any DH implementation because 'p' is supposed to be a prime
number. Moreover, 'mod 0' is not mathematically defined.
Bug report:
kernel BUG at ./include/linux/scatterlist.h:140!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
task: ffff88006caac0c0 task.stack: ffff88006c7c8000
RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216
RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee
RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0
RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30
R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30
R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50
FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0
Call Trace:
__keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
SYSC_keyctl security/keys/keyctl.c:1745 [inline]
SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4585c9
RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9
RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017
RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde
R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000
Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08
RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08
Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Biggers
|
a37b2a1cc6 |
crypto: dh - Fix double free of ctx->p
commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.
When setting the secret with the software Diffie-Hellman implementation,
if allocating 'g' failed (e.g. if it was longer than
MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
once later when the crypto_kpp tfm was destroyed.
Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
paths, as that correctly sets the pointers to NULL.
KASAN report:
MPI: mpi too large (32760 bits)
==================================================================
BUG: KASAN: use-after-free in mpi_free+0x131/0x170
Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
dump_stack+0xb3/0x10b
? mpi_free+0x131/0x170
print_address_description+0x79/0x2a0
? mpi_free+0x131/0x170
kasan_report+0x236/0x340
? akcipher_register_instance+0x90/0x90
__asan_report_load4_noabort+0x14/0x20
mpi_free+0x131/0x170
? akcipher_register_instance+0x90/0x90
dh_exit_tfm+0x3d/0x140
crypto_kpp_exit_tfm+0x52/0x70
crypto_destroy_tfm+0xb3/0x250
__keyctl_dh_compute+0x640/0xe90
? kasan_slab_free+0x12f/0x180
? dh_data_from_key+0x240/0x240
? key_create_or_update+0x1ee/0xb20
? key_instantiate_and_link+0x440/0x440
? lock_contended+0xee0/0xee0
? kfree+0xcf/0x210
? SyS_add_key+0x268/0x340
keyctl_dh_compute+0xb3/0xf1
? __keyctl_dh_compute+0xe90/0xe90
? SyS_add_key+0x26d/0x340
? entry_SYSCALL_64_fastpath+0x5/0xbe
? trace_hardirqs_on_caller+0x3f4/0x560
SyS_keyctl+0x72/0x2c0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x43ccf9
RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
Allocated by task 367:
save_stack_trace+0x16/0x20
kasan_kmalloc+0xeb/0x180
kmem_cache_alloc_trace+0x114/0x300
mpi_alloc+0x4b/0x230
mpi_read_raw_data+0xbe/0x360
dh_set_secret+0x1dc/0x460
__keyctl_dh_compute+0x623/0xe90
keyctl_dh_compute+0xb3/0xf1
SyS_keyctl+0x72/0x2c0
entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 367:
save_stack_trace+0x16/0x20
kasan_slab_free+0xab/0x180
kfree+0xb5/0x210
mpi_free+0xcb/0x170
dh_set_secret+0x2d7/0x460
__keyctl_dh_compute+0x623/0xe90
keyctl_dh_compute+0xb3/0xf1
SyS_keyctl+0x72/0x2c0
entry_SYSCALL_64_fastpath+0x1f/0xbe
Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Linus Torvalds
|
af903dcd31 |
Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu: "This fixes an unaligned panic in x86/sha-mb and a bug in ccm that triggers with certain underlying implementations" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: ccm - preserve the IV buffer crypto: x86/sha1-mb - fix panic due to unaligned access crypto: x86/sha256-mb - fix panic due to unaligned access |
||
Romain Izard
|
441f99c904 |
crypto: ccm - preserve the IV buffer
The IV buffer used during CCM operations is used twice, during both the hashing step and the ciphering step. When using a hardware accelerator that updates the contents of the IV buffer at the end of ciphering operations, the value will be modified. In the decryption case, the subsequent setup of the hashing algorithm will interpret the updated IV instead of the original value, which can lead to out-of-bounds writes. Reuse the idata buffer, only used in the hashing step, to preserve the IV's value during the ciphering step in the decryption case. Signed-off-by: Romain Izard <romain.izard.pro@gmail.com> Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com> Cc: <stable@vger.kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> |
||
Greg Kroah-Hartman
|
b24413180f |
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which makes it harder for compliance tools to determine the correct license. By default all files without license information are under the default license of the kernel, which is GPL version 2. Update the files which contain no license information with the 'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. How this work was done: Patches were generated and checked against linux-4.14-rc6 for a subset of the use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information, Further patches will be generated in subsequent months to fix up cases where non-standard license headers were used, and references to license had to be inferred by heuristics based on keywords. The analysis to determine which SPDX License Identifier to be applied to a file was done in a spreadsheet of side by side results from of the output of two independent scanners (ScanCode & Windriver) producing SPDX tag:value files created by Philippe Ombredanne. Philippe prepared the base worksheet, and did an initial spot review of a few 1000 files. The 4.13 kernel was the starting point of the analysis with 60,537 files assessed. Kate Stewart did a file by file comparison of the scanner results in the spreadsheet to determine which SPDX license identifier(s) to be applied to the file. She confirmed any determination that was not immediately clear with lawyers working with the Linux Foundation. Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines). All documentation files were explicitly excluded. The following heuristics were used to determine which SPDX license identifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time. In total, over 70 hours of logged manual review was done on the spreadsheet to determine the SPDX license identifiers to apply to the source files by Kate, Philippe, Thomas and, in some cases, confirmation by lawyers working with the Linux Foundation. Kate also obtained a third independent scan of the 4.13 code base from FOSSology, and compared selected files where the other two scanners disagreed against that SPDX file, to see if there was new insights. The Windriver scanner is based on an older version of FOSSology in part, so they are related. Thomas did random spot checks in about 500 files from the spreadsheets for the uapi headers and agreed with SPDX license identifier in the files he inspected. For the non-uapi files Thomas did random spot checks in about 15000 files. In initial set of patches against 4.14-rc6, 3 files were found to have copy/paste license identifier errors, and have been fixed to reflect the correct identifier. Additionally Philippe spent 10 hours this week doing a detailed manual inspection and review of the 12,461 patched files from the initial patch version early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correct This produced a worksheet with 20 files needing minor correction. This worksheet was then exported into 3 different .csv files for the different types of files to be modified. These .csv files were then reviewed by Greg. Thomas wrote a script to parse the csv files and add the proper SPDX tag to the file, in the format that the file expected. This script was further refined by Greg based on the output to detect more types of files automatically and to distinguish between header and source .c files (which need different comment types.) Finally Greg ran the script using the .csv files to generate the patches. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
James Morris
|
494b9ae7ab | Merge commit 'tags/keys-fixes-20171018' into fixes-v4.14-rc5 | ||
Eric Sesterhenn
|
68a1fdbbf8 |
pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
The ASN.1 parser does not necessarily set the sinfo field,
this patch prevents a NULL pointer dereference on broken
input.
Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
Signed-off-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org # 4.3+
|
||
Chun-Yi Lee
|
b3811d36a3 |
KEYS: checking the input id parameters before finding asymmetric key
For finding asymmetric key, the input id_0 and id_1 parameters can not be NULL at the same time. This patch adds the BUG_ON checking for id_0 and id_1. Cc: David Howells <dhowells@redhat.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Chun-Yi Lee <jlee@suse.com> Signed-off-by: David Howells <dhowells@redhat.com> |
||
|
Chun-Yi Lee
|
6a6d2a77ad |
KEYS: Fix the wrong index when checking the existence of second id
Fix the wrong index number when checking the existence of second id in function of finding asymmetric key. The id_1 is the second id that the index in array must be 1 but not 0. Fixes: 9eb029893ad5 (KEYS: Generalise x509_request_asymmetric_key()) Cc: David Howells <dhowells@redhat.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Chun-Yi Lee <jlee@suse.com> Signed-off-by: David Howells <dhowells@redhat.com> |
||
Herbert Xu
|
b61907bb42 |
crypto: shash - Fix zero-length shash ahash digest crash
The shash ahash digest adaptor function may crash if given a zero-length input together with a null SG list. This is because it tries to read the SG list before looking at the length. This patch fixes it by checking the length first. Cc: <stable@vger.kernel.org> Reported-by: Stephan Müller<smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Stephan Müller <smueller@chronox.de> |
||
|
Herbert Xu
|
0cabf2af6f |
crypto: skcipher - Fix crash on zero-length input
The skcipher walk interface doesn't handle zero-length input
properly as the old blkcipher walk interface did. This is due
to the fact that the length check is done too late.
This patch moves the length check forward so that it does the
right thing.
Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...")
Cc: <stable@vger.kernel.org>
Reported-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||
Jia-Ju Bai
|
9039f3ef44 |
crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
The SCTP program may sleep under a spinlock, and the function call path is:
sctp_generate_t3_rtx_event (acquire the spinlock)
sctp_do_sm
sctp_side_effects
sctp_cmd_interpreter
sctp_make_init_ack
sctp_pack_cookie
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
For the same reason, the orinoco driver may sleep in interrupt handler,
and the function call path is:
orinoco_rx_isr_tasklet
orinoco_rx
orinoco_mic
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool and my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|