| Age | Commit message (Collapse) | Author |
|---|
|
git://git.linaro.org/kernel/linux-linaro-stable.git
* linux-linaro-lsk-v4.4-android: (812 commits)
Linux 4.4.167
mac80211: ignore NullFunc frames in the duplicate detection
mac80211: fix reordering of buffered broadcast packets
mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
mac80211: Clear beacon_int in ieee80211_do_stop
mac80211_hwsim: Timer should be initialized before device registered
kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
tty: serial: 8250_mtk: always resume the device in probe.
cifs: Fix separator when building path from dentry
Staging: lustre: remove two build warnings
xhci: Prevent U1/U2 link pm states if exit latency is too long
SUNRPC: Fix leak of krb5p encode pages
virtio/s390: fix race in ccw_io_helper()
virtio/s390: avoid race on vcdev->config
ALSA: pcm: Fix interval evaluation with openmin/max
ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
ALSA: pcm: Fix starvation on down_write_nonblock()
ALSA: hda: Add support for AMD Stoney Ridge
ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c
USB: check usb_get_extra_descriptor for proper size
...
Conflicts:
drivers/gpu/drm/rockchip/rockchip_drm_drv.c
drivers/usb/host/xhci-ring.c
Change-Id: I4304b0875908403a7d88a0d77da52cea04563c11
|
|
* linux-linaro-lsk-v4.4: (622 commits)
Linux 4.4.166
drm/ast: Remove existing framebuffers before loading driver
s390/mm: Check for valid vma before zapping in gmap_discard
namei: allow restricted O_CREAT of FIFOs and regular files
sched/core: Allow __sched_setscheduler() in interrupts when PI is not used
btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
usb: xhci: fix uninitialized completion when USB3 port got wrong status
tty: wipe buffer if not echoing data
tty: wipe buffer.
iwlwifi: mvm: fix regulatory domain update when the firmware starts
scsi: qla2xxx: do not queue commands when unloading
scsi: ufshcd: release resources if probe fails
scsi: ufs: fix race between clock gating and devfreq scaling work
scsi: ufshcd: Fix race between clk scaling and ungate work
scsi: ufs: fix bugs related to null pointer access and array size
netfilter: nf_tables: fix oops when inserting an element into a verdict map
mwifiex: fix p2p device doesn't find in scan problem
mwifiex: Fix NULL pointer dereference in skb_dequeue()
cw1200: Don't leak memory if krealloc failes
Input: xpad - add support for Xbox1 PDP Camo series gamepad
...
Conflicts:
Makefile
arch/x86/Makefile
drivers/base/power/main.c
drivers/block/zram/zram_drv.c
kernel/debug/kdb/kdb_io.c
net/ipv6/route.c
scripts/Kbuild.include
Conflicts in above files are fixed as done in AOSP Change-Id:
I5bd20327e0c1139c46f74e8d5916fa0530a307d3 ("Merge 4.4.165 into android-4.4").
arch/arm64/include/asm/cpufeature.h
arch/arm64/kernel/cpufeature.c
Conflicts in above files is due to AOSP Change-Id:
I11cb874d12a7d0921f452c62b0752e0028a8e0a7 ("FROMLIST: arm64: entry: Add
fake CPU feature for unmapping the kernel at EL0"), which needed a minor
rebasing.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
cipher"
This reverts commit 18954d93f394fd45aa454bb3c138fb7b9c2fa820.
Bug: 116008047
Change-Id: If9192b30cdb4212fb6c8111d70c532a109695fbd
Signed-off-by: Alistair Strachan <astrachan@google.com>
[AmitP: Updated commit message for correct SHA1 hash]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
This reverts commit bc84402781ae0a4863983c22cdfabccb2de24761.
Bug: 116008047
Change-Id: I9d0a8357be1ab090a793646716771015299fb7fe
Signed-off-by: Alistair Strachan <astrachan@google.com>
[AmitP: Updated commit message for correct SHA1 hash]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
This reverts commit 239fd75203f2b2522f961a40c20295765ee5c8bd.
Bug: 116008047
Change-Id: Id68b333c66c89bc69e61bdd96d21fa6bc6dbf3b8
Signed-off-by: Alistair Strachan <astrachan@google.com>
[AmitP: Updated commit message for correct SHA1 hash]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
This reverts commit c21d7a05687ac82404aeb02fc5c654c5bf9144c5.
Bug: 116008047
Change-Id: I96897223f5daced94e3d62ae817c2de2b59b417f
Signed-off-by: Alistair Strachan <astrachan@google.com>
[AmitP: Updated commit message for correct SHA1 hash]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.
When the LRW block counter overflows, the current implementation returns
128 as the index to the precomputed multiplication table, which has 128
entries. This patch fixes it to return the correct value (127).
Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
Cc: <stable@vger.kernel.org> # 2.6.20+
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 9039f3ef446e9ffa200200c934f049add9e58426 ]
The SCTP program may sleep under a spinlock, and the function call path is:
sctp_generate_t3_rtx_event (acquire the spinlock)
sctp_do_sm
sctp_side_effects
sctp_cmd_interpreter
sctp_make_init_ack
sctp_pack_cookie
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
For the same reason, the orinoco driver may sleep in interrupt handler,
and the function call path is:
orinoco_rx_isr_tasklet
orinoco_rx
orinoco_mic
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool and my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
|
git://git.linaro.org/kernel/linux-linaro-stable.git
* linux-linaro-lsk-v4.4-android: (1212 commits)
ANDROID: sdcardfs: Change current->fs under lock
ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro
ANDROID: restrict store of prefer_idle as boolean
BACKPORT: arm/syscalls: Optimize address limit check
UPSTREAM: syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
BACKPORT: arm64/syscalls: Check address limit on user-mode return
BACKPORT: x86/syscalls: Check address limit on user-mode return
BACKPORT: lkdtm: add bad USER_DS test
UPSTREAM: bug: switch data corruption check to __must_check
BACKPORT: lkdtm: Add tests for struct list corruption
UPSTREAM: bug: Provide toggle for BUG on data corruption
UPSTREAM: list: Split list_del() debug checking into separate function
UPSTREAM: rculist: Consolidate DEBUG_LIST for list_add_rcu()
BACKPORT: list: Split list_add() debug checking into separate function
FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.
BACKPORT: arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW
ANDROID: arm64: mm: fix 4.4.154 merge
BACKPORT: zsmalloc: introduce zs_huge_class_size()
BACKPORT: zram: drop max_zpage_size and use zs_huge_class_size()
ANDROID: tracing: fix race condition reading saved tgids
...
Change-Id: I9f23db35eb926b6fa0d7af7dbbb55c9a37d536fc
|
|
[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ]
As of GCC 9.0.0 the build is reporting warnings like:
crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "<default>",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sizeof(rblkcipher.geniv));
~~~~~~~~~~~~~~~~~~~~~~~~~
This means the strnycpy might create a non null terminated string. Fix this by
explicitly performing '\0' termination.
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Max Filippov <jcmvbkbc@gmail.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: Nick Desaulniers <nick.desaulniers@gmail.com>
Signed-off-by: Stafford Horne <shorne@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Adds zstd support to crypto and scompress. Only supports the default
level.
Previously we held off on this patch, since there weren't any users.
Now zram is ready for zstd support, but depends on CONFIG_CRYPTO_ZSTD,
which isn't defined until this patch is in. I also see a patch adding
zstd to pstore [0], which depends on crypto zstd.
[0] lkml.kernel.org/r/9c9416b2dff19f05fb4c35879aaa83d11ff72c92.1521626182.git.geliangtang@gmail.com
Signed-off-by: Nick Terrell <terrelln@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit d28fc3dbe1918333730d62aa5f0d84b6fb4e7254)
Signed-off-by: Peter Kalauskas <peskal@google.com>
Bug: 112488418
Change-Id: I070acf1dd8bf415f8997a48ee908d930754fc71e
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
android-4.4
6944da0a68ca treewide: Use array_size in f2fs_kvzalloc()
f15443db99c3 treewide: Use array_size() in f2fs_kzalloc()
3ea03ea4bd09 treewide: Use array_size() in f2fs_kmalloc()
c41203299a52 overflow.h: Add allocation size calculation helpers
d400752f547f f2fs: fix to clear FI_VOLATILE_FILE correctly
853e7339b634 f2fs: let sync node IO interrupt async one
6a4540cf1984 f2fs: don't change wbc->sync_mode
588ecdfd7d02 f2fs: fix to update mtime correctly
1ae5aadab191 fs: f2fs: insert space around that ':' and ', '
39ee53e22320 fs: f2fs: add missing blank lines after declarations
d5b4710fcf38 fs: f2fs: changed variable type of offset "unsigned" to "loff_t"
c35da89531b3 f2fs: clean up symbol namespace
fcf37e16f3cb f2fs: make set_de_type() static
5d1633aa1071 f2fs: make __f2fs_write_data_pages() static
cc8093af7c42 f2fs: fix to avoid accessing cross the boundary
b7f559467095 f2fs: fix to let caller retry allocating block address
e48fcd857657 disable loading f2fs module on PAGE_SIZE > 4KB
02afc275a5bd f2fs: fix error path of move_data_page
0291bd36d076 f2fs: don't drop dentry pages after fs shutdown
a1259450b6db f2fs: fix to avoid race during access gc_thread pointer
d2e0f2f786a6 f2fs: clean up with clear_radix_tree_dirty_tag
c74034518fdc f2fs: fix to don't trigger writeback during recovery
e72a2cca82d8 f2fs: clear discard_wake earlier
b25a1872e9a5 f2fs: let discard thread wait a little longer if dev is busy
b125dfb20d18 f2fs: avoid stucking GC due to atomic write
405909e7f532 f2fs: introduce sbi->gc_mode to determine the policy
1f62e4702a34 f2fs: keep migration IO order in LFS mode
c4408c238722 f2fs: fix to wait page writeback during revoking atomic write
9db5be4af890 f2fs: Fix deadlock in shutdown ioctl
ed74404955cd f2fs: detect synchronous writeback more earlier
91e7d9d2ddbf mm: remove nr_pages argument from pagevec_lookup_{,range}_tag()
feb94dc82928 ceph: use pagevec_lookup_range_nr_tag()
f3aa4a25b8b0 mm: add variant of pagevec_lookup_range_tag() taking number of pages
8914877e374a mm: use pagevec_lookup_range_tag() in write_cache_pages()
26778b87a006 mm: use pagevec_lookup_range_tag() in __filemap_fdatawait_range()
94f1b99298bd nilfs2: use pagevec_lookup_range_tag()
160355d69f46 gfs2: use pagevec_lookup_range_tag()
564108e83a74 f2fs: use find_get_pages_tag() for looking up single page
6cf6fb8645ff f2fs: simplify page iteration loops
a05d8a6a2bde f2fs: use pagevec_lookup_range_tag()
18a4848ffded ext4: use pagevec_lookup_range_tag()
1c7be24f65cd ceph: use pagevec_lookup_range_tag()
e25fadabb5c7 btrfs: use pagevec_lookup_range_tag()
bf9510b162c4 mm: implement find_get_pages_range_tag()
461247b21fde f2fs: clean up with is_valid_blkaddr()
a5d0ccbc189a f2fs: fix to initialize min_mtime with ULLONG_MAX
9bb4d22cf5de f2fs: fix to let checkpoint guarantee atomic page persistence
cdcf2b3e2559 f2fs: fix to initialize i_current_depth according to inode type
331ae0c25b44 Revert "f2fs: add ovp valid_blocks check for bg gc victim to fg_gc"
2494cc7c0bcd f2fs: don't drop any page on f2fs_cp_error() case
0037c639e63d f2fs: fix spelling mistake: "extenstion" -> "extension"
2bba5b8eb867 f2fs: enhance sanity_check_raw_super() to avoid potential overflows
9bb86b63dc0f f2fs: treat volatile file's data as hot one
2cf64590361e f2fs: introduce release_discard_addr() for cleanup
03279ce90b46 f2fs: fix potential overflow
f46eddc4da48 f2fs: rename dio_rwsem to i_gc_rwsem
bb015824532c f2fs: move mnt_want_write_file after range check
8bb9a8da75d1 f2fs: fix missing clear FI_NO_PREALLOC in some error case
cb38cc4e1d02 f2fs: enforce fsync_mode=strict for renamed directory
26bf4e8a96aa f2fs: sanity check for total valid node blocks
78f8b0f46fa2 f2fs: sanity check on sit entry
ab758ada220f f2fs: avoid bug_on on corrupted inode
1a5d1966c0ca f2fs: give message and set need_fsck given broken node id
b025f6dfc018 f2fs: clean up commit_inmem_pages()
7aff5c69da4c f2fs: do not check F2FS_INLINE_DOTS in recover
23d00b02878e f2fs: remove duplicated dquot_initialize and fix error handling
937f4ef79e25 f2fs: stop issue discard if something wrong with f2fs
a6d74bb282ad f2fs: fix return value in f2fs_ioc_commit_atomic_write
258489ec5220 f2fs: allocate hot_data for atomic write more strictly
aa857e0f3b09 f2fs: check if inmem_pages list is empty correctly
9d77ded0a71d f2fs: fix race in between GC and atomic open
0d17eb90b56a f2fs: change le32 to le16 of f2fs_inode->i_extra_size
ea2813111f1f f2fs: check cur_valid_map_mir & raw_sit block count when flush sit entries
9190cadf38db f2fs: correct return value of f2fs_trim_fs
17f85d070886 f2fs: fix to show missing bits in FS_IOC_GETFLAGS
3e90db63fcfc f2fs: remove unneeded F2FS_PROJINHERIT_FL
298032d4d4a6 f2fs: don't use GFP_ZERO for page caches
fdf61219dc25 f2fs: issue all big range discards in umount process
cd79eb2b5e45 f2fs: remove redundant block plug
ec034d0f14ca f2fs: remove unmatched zero_user_segment when convert inline dentry
71aaced0e1ee f2fs: introduce private inode status mapping
e7724207f71e fscrypt: log the crypto algorithm implementations
4cbda579cd3d crypto: api - Add crypto_type_has_alg helper
b24dcaae8753 crypto: skcipher - Add low-level skcipher interface
a9146e423547 crypto: skcipher - Add helper to retrieve driver name
a0ca4bdf4744 crypto: skcipher - Add default key size helper
eb13e0b69296 fscrypt: add Speck128/256 support
27a0e77380a3 fscrypt: only derive the needed portion of the key
f68a71fa8f77 fscrypt: separate key lookup from key derivation
52359cf4fd6d fscrypt: use a common logging function
ff8e7c745e2b fscrypt: remove internal key size constants
7149dd4d39b5 fscrypt: remove unnecessary check for non-logon key type
56446c91422e fscrypt: make fscrypt_operations.max_namelen an integer
f572a22ef9a5 fscrypt: drop empty name check from fname_decrypt()
0077eff1d2e3 fscrypt: drop max_namelen check from fname_decrypt()
3f7af9d27fd6 fscrypt: don't special-case EOPNOTSUPP from fscrypt_get_encryption_info()
52c51f7b7bde fscrypt: don't clear flags on crypto transform
89b7fb82982f fscrypt: remove stale comment from fscrypt_d_revalidate()
d56de4e926ad fscrypt: remove error messages for skcipher_request_alloc() failure
f68d3b84aef1 fscrypt: remove unnecessary NULL check when allocating skcipher
fb10231825e9 fscrypt: clean up after fscrypt_prepare_lookup() conversions
39b144490606 fscrypt: use unbound workqueue for decryption
Change-Id: Ied79ecd97385c05ef26e6b7b24d250eee9ec4e47
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Conflicts:
fs/crypto/keyinfo.c
fs/f2fs/inline.c
Resolved conflicts based on android-4.4:fs/f2fs codebase.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
* linux-linaro-lsk-v4.4: (783 commits)
Linux 4.4.159
iw_cxgb4: only allow 1 flush on user qps
HID: sony: Support DS4 dongle
HID: sony: Update device ids
arm64: Add trace_hardirqs_off annotation in ret_to_user
ext4: don't mark mmp buffer head dirty
ext4: fix online resizing for bigalloc file systems with a 1k block size
ext4: fix online resize's handling of a too-small final block group
ext4: recalucate superblock checksum after updating free blocks/inodes
ext4: avoid divide by zero fault when deleting corrupted inline directories
tty: vt_ioctl: fix potential Spectre v1
drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
ocfs2: fix ocfs2 read block panic
scsi: target: iscsi: Use hex2bin instead of a re-implementation
neighbour: confirm neigh entries when ARP packet is received
net: hp100: fix always-true check for link up state
net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
ipv6: fix possible use-after-free in ip6_xmit()
gso_segment: Reset skb->mac_len after modifying network header
mm: shmem.c: Correctly annotate new inodes for lockdep
...
Conflicts:
Makefile
fs/squashfs/block.c
include/uapi/linux/prctl.h
kernel/fork.c
kernel/sys.c
Trivial merge conflicts in above files. Resolved by rebasing
corresponding AOSP changes.
arch/arm64/mm/init.c
Pick the changes from upstream version of AOSP patch
"arm64: check for upper PAGE_SHIFT bits in pfn_valid" instead.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
git://git.linaro.org/kernel/linux-linaro-stable.git
* linux-linaro-lsk-v4.4: (519 commits)
Linux 4.4.154
cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
iscsi target: fix session creation failure handling
scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
MIPS: Correct the 64-bit DSP accumulator register size
kprobes: Make list and blacklist root user read only
s390/pci: fix out of bounds access during irq setup
s390/qdio: reset old sbal_state flags
s390: fix br_r1_trampoline for machines without exrl
x86/spectre: Add missing family 6 check to microcode check
x86/irqflags: Mark native_restore_fl extern inline
pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
ASoC: sirf: Fix potential NULL pointer dereference
ASoC: dpcm: don't merge format from invalid codec dai
udl-kms: fix crash due to uninitialized memory
udl-kms: handle allocation failure
udl-kms: change down_interruptible to down
fuse: Add missed unlock_page() to fuse_readpages_fill()
...
Conflicts:
Makefile
arch/arm64/mm/init.c
fs/squashfs/block.c
include/uapi/linux/prctl.h
kernel/sys.c
Change-Id: Ie03b5adfbbb4ab2bf16bc55d99f0d8a9c540a53b
|
|
commit 318abdfbe708aaaa652c79fb500e9bd60521f9dc upstream.
Like the skcipher_walk and blkcipher_walk cases:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing ablkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: bf06099db18a ("crypto: skcipher - Add ablkcipher_walk interfaces")
Cc: <stable@vger.kernel.org> # v2.6.35+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 0868def3e4100591e7a1fdbf3eed1439cc8f7ca3 upstream.
Like the skcipher_walk case:
scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
blkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.
Fix it by reorganizing blkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.
This bug was found by syzkaller fuzzing.
Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "ecb(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}
Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: 5cde0af2a982 ("[CRYPTO] cipher: Added block cipher type")
Cc: <stable@vger.kernel.org> # v2.6.19+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit bb29648102335586e9a66289a1d98a0cb392b6e5 upstream.
syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG. The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context. That's wrong.
Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad. Therefore, only the first
VMAC invocation with a given key calculates the correct digest.
Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.
Reproducer for the crash:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "vmac(aes)",
};
char buf[256] = { 0 };
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
fork();
fd = accept(fd, NULL, NULL);
for (;;)
write(fd, buf, 256);
}
The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 73bf20ef3df262026c3470241ae4ac8196943ffa upstream.
The VMAC template assumes the block cipher has a 128-bit block size, but
it failed to check for that. Thus it was possible to instantiate it
using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
uninitialized memory to be used.
Add the needed check when instantiating the template.
Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit ad2fdcdf75d169e7a5aec6c7cb421c0bec8ec711 ]
In crypto_authenc_setkey we save pointers to the authenc keys in
a local variable of type struct crypto_authenc_keys and we don't
zeroize it after use. Fix this and don't leak pointers to the
authenc keys.
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit 31545df391d58a3bb60e29b1192644a6f2b5a8dd ]
In crypto_authenc_esn_setkey we save pointers to the authenc keys
in a local variable of type struct crypto_authenc_keys and we don't
zeroize it after use. Fix this and don't leak pointers to the
authenc keys.
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This patch adds the helper crypto_type_has_alg which is meant
to replace crypto_has_alg for new-style crypto types. Rather
than hard-coding type/mask information they're now retrieved
from the crypto_type object.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
This patch allows skcipher algorithms and instances to be created
and registered with the crypto API. They are accessible through
the top-level skcipher interface, along with ablkcipher/blkcipher
algorithms and instances.
This patch also introduces a new parameter called chunk size
which is meant for ciphers such as CTR and CTS which ostensibly
can handle arbitrary lengths, but still behave like block ciphers
in that you can only process a partial block at the very end.
For these ciphers the block size will continue to be set to 1
as it is now while the chunk size will be set to the underlying
block size.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
While converting ecryptfs over to skcipher I found that it needs
to pick a default key size if one isn't given. Rather than having
it poke into the guts of the algorithm to get max_keysize, let's
provide a helper that is meant to give a sane default (just in
case we ever get an algorithm that has no maximum key size).
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
git://git.linaro.org/kernel/linux-linaro-stable.git
LSK 18.05 v4.4-android
* tag 'lsk-v4.4-18.05-android': (605 commits)
ANDROID: sdcardfs: Don't d_drop in d_revalidate
goldfish: pipe: ANDROID: mark local functions static
UPSTREAM: ANDROID: binder: prevent transactions into own process.
goldfish: pipe: ANDROID: Add DMA support
UPSTREAM: f2fs: clear PageError on writepage - part 2
UPSTREAM: f2fs: avoid fsync() failure caused by EAGAIN in writepage()
ANDROID: x86_64_cuttlefish_defconfig: Disable KPTI
UPSTREAM: mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss()
UPSTREAM: mac80211: Fix clang warning about constant operand in logical operation
UPSTREAM: nl80211: Fix enum type of variable in nl80211_put_sta_rate()
UPSTREAM: sysfs: remove signedness from sysfs_get_dirent
UPSTREAM: tracing: Use cpumask_available() to check if cpumask variable may be used
BACKPORT: clocksource: Use GENMASK_ULL in definition of CLOCKSOURCE_MASK
UPSTREAM: netpoll: Fix device name check in netpoll_setup()
FROMLIST: staging: Fix sparse warnings in vsoc driver.
FROMLIST: staging: vsoc: Fix a i386-randconfig warning.
FROMLIST: staging: vsoc: Create wc kernel mapping for region shm.
goldfish: pipe: ANDROID: Replace writel with gf_write_ptr
goldfish: pipe: ANDROID: Use dev_ logging instead of pr_
goldfish: pipe: ANDROID: fix checkpatch warnings
...
Conflicts:
fs/f2fs/node.c
scripts/Makefile.lib
Change-Id: Ib92d11938a383464249fe6f2dad3ab2a05bc4770
|
|
Some crypto drivers cannot process empty data message and return a
precalculated hash for md5/sha1/sha224/sha256.
This patch add thoses precalculated hash in include/crypto.
Signed-off-by: LABBE Corentin <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0c4c78de0417ced1da92351a3013e631860ea576)
Change-Id: Ie15d9e6119f415c7c5af875fec160299e9053770
Signed-off-by: Lin Jinhan <troy.lin@rock-chips.com>
|
|
* linux-linaro-lsk-v4.4: (515 commits)
Linux 4.4.132
perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map()
perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[]
perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver
perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr
perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_*
tracing/uprobe_event: Fix strncpy corner case
Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174"
atm: zatm: Fix potential Spectre v1
net: atm: Fix potential Spectre v1
can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg()
tracing: Fix regex_match_front() to not over compare the test string
libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs
rfkill: gpio: fix memory leak in probe error path
xfrm_user: fix return value from xfrm_user_rcv_msg
f2fs: fix a dead loop in f2fs_fiemap()
bdi: Fix oops in wb_workfn()
tcp: fix TCP_REPAIR_QUEUE bound checking
perf: Remove superfluous allocation error check
soreuseport: initialise timewait reuseport field
...
Conflicts:
arch/s390/kernel/module.c
arch/x86/kernel/kprobes/core.c
fs/proc/task_mmu.c
net/ipv6/route.c
Trivial conflicts between AOSP/LSK and backported/rebased LTS changes.
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
|
commit a466856e0b7ab269cdf9461886d007e88ff575b0 upstream.
syzbot reported :
BUG: KMSAN: uninit-value in alg_bind+0xe3/0xd90 crypto/af_alg.c:162
We need to check addr_len before dereferencing sa (or uaddr)
Fixes: bb30b8848c85 ("crypto: af_alg - whitelist mask and type")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Stephan Mueller <smueller@chronox.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
[ Upstream commit baae03a0e2497f49704628fd0aaf993cf98e1b99 ]
The DMA_PREP_FENCE is to be used when preparing Tx descriptor if output
of Tx descriptor is to be used by next/dependent Tx descriptor.
The DMA_PREP_FENSE will not be set correctly in do_async_gen_syndrome()
when calling dma->device_prep_dma_pq() under following conditions:
1. ASYNC_TX_FENCE not set in submit->flags
2. DMA_PREP_FENCE not set in dma_flags
3. src_cnt (= (disks - 2)) is greater than dma_maxpq(dma, dma_flags)
This patch fixes DMA_PREP_FENCE usage in do_async_gen_syndrome() taking
inspiration from do_async_xor() implementation.
Signed-off-by: Anup Patel <anup.patel@broadcom.com>
Reviewed-by: Ray Jui <ray.jui@broadcom.com>
Reviewed-by: Scott Branden <scott.branden@broadcom.com>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 900a081f6912a8985dc15380ec912752cb66025a upstream.
When we have an unaligned SG list entry where there is no leftover
aligned data, the hash walk code will incorrectly return zero as if
the entire SG list has been processed.
This patch fixes it by moving onto the next page instead.
Reported-by: Eli Cooper <elicooper@gmx.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Add test vectors for Speck64-XTS, generated in userspace using C code.
The inputs were borrowed from the AES-XTS test vectors, with key lengths
adjusted.
xts-speck64-neon passes these tests. However, they aren't currently
applicable for the generic XTS template, as that only supports a 128-bit
block size.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 41b3316e75ee5e8aec7234c9d631582b13a38c7d
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
(removed 'const' from test vectors)
(replaced use of __VECS macro in crypto/testmgr.c)
Change-Id: I61a2c77dbfcf487d77b3d9ef0a823dadea8ddf07
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
Add test vectors for Speck128-XTS, generated in userspace using C code.
The inputs were borrowed from the AES-XTS test vectors.
Both xts(speck128-generic) and xts-speck128-neon pass these tests.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit c3bb521bb6ac3023ae236a3a361f951f8d78ecc4
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
(removed 'const' from test vectors)
(replaced use of __VECS macro in crypto/testmgr.c)
Change-Id: Ifd701d5df4a6602c207cfb28decc620ef7e5f896
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
Export the Speck constants and transform context and the ->setkey(),
->encrypt(), and ->decrypt() functions so that they can be reused by the
ARM NEON implementation of Speck-XTS. The generic key expansion code
will be reused because it is not performance-critical and is not
vectorizable, while the generic encryption and decryption functions are
needed as fallbacks and for the XTS tweak encryption.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit c8c36413ca8ccbf7a0afe71247fc4617ee2dfcfe
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
Change-Id: I93e96e1ef40de7071af212146b8ad3bf45297c1d
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
Add a generic implementation of Speck, including the Speck128 and
Speck64 variants. Speck is a lightweight block cipher that can be much
faster than AES on processors that don't have AES instructions.
We are planning to offer Speck-XTS (probably Speck128/256-XTS) as an
option for dm-crypt and fscrypt on Android, for low-end mobile devices
with older CPUs such as ARMv7 which don't have the Cryptography
Extensions. Currently, such devices are unencrypted because AES is not
fast enough, even when the NEON bit-sliced implementation of AES is
used. Other AES alternatives such as Twofish, Threefish, Camellia,
CAST6, and Serpent aren't fast enough either; it seems that only a
modern ARX cipher can provide sufficient performance on these devices.
This is a replacement for our original proposal
(https://patchwork.kernel.org/patch/10101451/) which was to offer
ChaCha20 for these devices. However, the use of a stream cipher for
disk/file encryption with no space to store nonces would have been much
more insecure than we thought initially, given that it would be used on
top of flash storage as well as potentially on top of F2FS, neither of
which is guaranteed to overwrite data in-place.
Speck has been somewhat controversial due to its origin. Nevertheless,
it has a straightforward design (it's an ARX cipher), and it appears to
be the leading software-optimized lightweight block cipher currently,
with the most cryptanalysis. It's also easy to implement without side
channels, unlike AES. Moreover, we only intend Speck to be used when
the status quo is no encryption, due to AES not being fast enough.
We've also considered a novel length-preserving encryption mode based on
ChaCha20 and Poly1305. While theoretically attractive, such a mode
would be a brand new crypto construction and would be more complicated
and difficult to implement efficiently in comparison to Speck-XTS.
There is confusion about the byte and word orders of Speck, since the
original paper doesn't specify them. But we have implemented it using
the orders the authors recommended in a correspondence with them. The
test vectors are taken from the original paper but were mapped to byte
arrays using the recommended byte and word orders.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit da7a0ab5b4babbe5d7a46f852582be06a00a28f0
git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master)
(removed 'const' from test vectors)
(replaced use of __VECS macro in crypto/testmgr.c)
Change-Id: Id13c44dee8e3817590950c178d54b24c3aee0b4e
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
|
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Conflicts:
fs/f2fs/extent_cache.c
Pick changes from AOSP Change-Id: Icd8a85ac0c19a8aa25cd2591a12b4e9b85bdf1c5
("f2fs: catch up to v4.14-rc1")
fs/f2fs/namei.c
Pick changes from AOSP F2FS backport commit 7d5c08fd9194
("f2fs: backport from (4c1fad64 - Merge tag 'for-f2fs-4.9' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs)")
|
|
commit a16e772e664b9a261424107784804cffc8894977 upstream.
Since Poly1305 requires a nonce per invocation, the Linux kernel
implementations of Poly1305 don't use the crypto API's keying mechanism
and instead expect the key and nonce as the first 32 bytes of the data.
But ->setkey() is still defined as a stub returning an error code. This
prevents Poly1305 from being used through AF_ALG and will also break it
completely once we start enforcing that all crypto API users (not just
AF_ALG) call ->setkey() if present.
Fix it by removing crypto_poly1305_setkey(), leaving ->setkey as NULL.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 841a3ff329713f796a63356fef6e2f72e4a3f6a3 upstream.
When the cryptd template is used to wrap an unkeyed hash algorithm,
don't install a ->setkey() method to the cryptd instance. This change
is necessary for cryptd to keep working with unkeyed hash algorithms
once we start enforcing that ->setkey() is called when present.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba upstream.
Templates that use an shash spawn can use crypto_shash_alg_has_setkey()
to determine whether the underlying algorithm requires a key or not.
But there was no corresponding function for ahash spawns. Add it.
Note that the new function actually has to support both shash and ahash
algorithms, since the ahash API can be used with either.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 5c6ac1d4f8fbdbed65dbeb8cf149d736409d16a1 upstream.
In case buffer length is a multiple of PAGE_SIZE,
the S/G table is incorrectly generated.
Fix this by handling buflen = k * PAGE_SIZE separately.
Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit bb30b8848c85e18ca7e371d0a869e94b3e383bdf upstream.
The user space interface allows specifying the type and mask field used
to allocate the cipher. Only a subset of the possible flags are intended
for user space. Therefore, white-list the allowed flags.
In case the user space caller uses at least one non-allowed flag, EINVAL
is returned.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Cherry-picked from origin/upstream-f2fs-stable-linux-4.4.y:
ba1ade71012d fscrypt: resolve some cherry-pick bugs
9e32f17d241b fscrypt: move to generic async completion
4ecacbed6e1c crypto: introduce crypto wait for async op
42d89da82b25 fscrypt: lock mutex before checking for bounce page pool
2286508d17c2 fscrypt: new helper function - fscrypt_prepare_setattr()
5cbdd42ad248 fscrypt: new helper function - fscrypt_prepare_lookup()
a31feba5c18f fscrypt: new helper function - fscrypt_prepare_rename()
95efafb6239d fscrypt: new helper function - fscrypt_prepare_link()
2b4b4f98dddf fscrypt: new helper function - fscrypt_file_open()
8c815f381cd6 fscrypt: new helper function - fscrypt_require_key()
272e43502577 fscrypt: remove unneeded empty fscrypt_operations structs
1034eeec516a fscrypt: remove ->is_encrypted()
32c0d3ae9d66 fscrypt: switch from ->is_encrypted() to IS_ENCRYPTED()
a4781dd1f175 fs, fscrypt: add an S_ENCRYPTED inode flag
ff0a3dbc9392 fscrypt: clean up include file mess
bc4a61c60bea fscrypt: fix dereference of NULL user_key_payload
a53dc7e00559 fscrypt: make ->dummy_context() return bool
Change-Id: I461d742adc7b77177df91429a1fd9c8624a698d6
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
|
|
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Conflicts:
kernel/fork.c
Conflict due to Kaiser implementation in LTS 4.4.110.
net/ipv4/raw.c
Minor conflict due to LTS commit
be27b620a861 ("net: ipv4: fix for a race condition in raw_sendmsg")
|
|
commit 9a00674213a3f00394f4e3221b88f2d21fc05789 upstream.
syzkaller triggered a NULL pointer dereference in crypto_remove_spawns()
via a program that repeatedly and concurrently requests AEADs
"authenc(cmac(des3_ede-asm),pcbc-aes-aesni)" and hashes "cmac(des3_ede)"
through AF_ALG, where the hashes are requested as "untested"
(CRYPTO_ALG_TESTED is set in ->salg_mask but clear in ->salg_feat; this
causes the template to be instantiated for every request).
Although AF_ALG users really shouldn't be able to request an "untested"
algorithm, the NULL pointer dereference is actually caused by a
longstanding race condition where crypto_remove_spawns() can encounter
an instance which has had spawn(s) "grabbed" but hasn't yet been
registered, resulting in ->cra_users still being NULL.
We probably should properly initialize ->cra_users earlier, but that
would require updating many templates individually. For now just fix
the bug in a simple way that can easily be backported: make
crypto_remove_spawns() treat a NULL ->cra_users list as empty.
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit d76c68109f37cb85b243a1cf0f40313afd2bae68 upstream.
pcrypt is using the old way of freeing instances, where the ->free()
method specified in the 'struct crypto_template' is passed a pointer to
the 'struct crypto_instance'. But the crypto_instance is being
kfree()'d directly, which is incorrect because the memory was actually
allocated as an aead_instance, which contains the crypto_instance at a
nonzero offset. Thus, the wrong pointer was being kfree()'d.
Fix it by switching to the new way to free aead_instance's where the
->free() method is specified in the aead_instance itself.
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 0496f56065e0 ("crypto: pcrypt - Add support for new AEAD interface")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit e57121d08c38dabec15cf3e1e2ad46721af30cae upstream.
If the rfc7539 template was instantiated with a hash algorithm with
digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
subsequent memory, including 'cryptlen'. This caused a crash during
crypto_skcipher_decrypt().
Fix it by, when instantiating the template, requiring that the
underlying hash algorithm has the digest size expected for Poly1305.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "rfc7539(chacha20,sha256)",
};
unsigned char buf[32] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
reqfd = accept(algfd, 0, 0);
write(reqfd, buf, 16);
read(reqfd, buf, 16);
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Invoking a possibly async. crypto op and waiting for completion
while correctly handling backlog processing is a common task
in the crypto API implementation and outside users of it.
This patch adds a generic implementation for doing so in
preparation for using it across the board instead of hand
rolled versions.
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
CC: Eric Biggers <ebiggers3@gmail.com>
CC: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
commit 9abffc6f2efe46c3564c04312e52e07622d40e51 upstream.
mcryptd_enqueue_request() grabs the per-CPU queue struct and protects
access to it with disabled preemption. Then it schedules a worker on the
same CPU. The worker in mcryptd_queue_worker() guards access to the same
per-CPU variable with disabled preemption.
If we take CPU-hotplug into account then it is possible that between
queue_work_on() and the actual invocation of the worker the CPU goes
down and the worker will be scheduled on _another_ CPU. And here the
preempt_disable() protection does not work anymore. The easiest thing is
to add a spin_lock() to guard access to the list.
Another detail: mcryptd_queue_worker() is not processing more than
MCRYPTD_BATCH invocation in a row. If there are still items left, then
it will invoke queue_work() to proceed with more later. *I* would
suggest to simply drop that check because it does not use a system
workqueue and the workqueue is already marked as "CPU_INTENSIVE". And if
preemption is required then the scheduler should do it.
However if queue_work() is used then the work item is marked as CPU
unbound. That means it will try to run on the local CPU but it may run
on another CPU as well. Especially with CONFIG_DEBUG_WQ_FORCE_RR_CPU=y.
Again, the preempt_disable() won't work here but lock which was
introduced will help.
In order to keep work-item on the local CPU (and avoid RR) I changed it
to queue_work_on().
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
|
|
[ Upstream commit 7aacbfcb331ceff3ac43096d563a1f93ed46e35e ]
Fix the way the length of the buffers used for
encryption / decryption are computed.
For e.g. in case of encryption, input buffer does not contain
an authentication tag.
Signed-off-by: Robert Baronescu <robert.baronescu@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit ecaaab5649781c5a0effdaf298a925063020500e upstream.
When asked to encrypt or decrypt 0 bytes, both the generic and x86
implementations of Salsa20 crash in blkcipher_walk_done(), either when
doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
because walk->buffer and walk->page have not been initialized.
The bug is that Salsa20 is calling blkcipher_walk_done() even when
nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
be called when a nonzero number of bytes have been provided.
The broken code is part of an optimization that tries to make only one
call to salsa20_encrypt_bytes() to process inputs that are not evenly
divisible by 64 bytes. To fix the bug, just remove this "optimization"
and use the blkcipher_walk API the same way all the other users do.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "salsa20",
};
char key[16] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
reqfd = accept(algfd, 0, 0);
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
read(reqfd, key, sizeof(key));
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 upstream.
Because the HMAC template didn't check that its underlying hash
algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
being used without having been keyed, resulting in sha3_update() being
called without sha3_init(), causing a stack buffer overflow.
This is a very old bug, but it seems to have only started causing real
problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
because the innermost hash's state is ->import()ed from a zeroed buffer,
and it just so happens that other hash algorithms are fine with that,
but SHA-3 is not. However, there could be arch or hardware-dependent
hash algorithms also affected; I couldn't test everything.
Fix the bug by introducing a function crypto_shash_alg_has_setkey()
which tests whether a shash algorithm is keyed. Then update the HMAC
template to require that its underlying hash algorithm is unkeyed.
Here is a reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
int main()
{
int algfd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "hmac(hmac(sha3-512-generic))",
};
char key[4096] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
}
Here was the KASAN report from syzbot:
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memcpy+0x37/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:341 [inline]
sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
crypto_shash_update+0xcb/0x220 crypto/shash.c:109
shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
hmac_finup+0x182/0x330 crypto/hmac.c:152
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
hmac_setkey+0x36a/0x690 crypto/hmac.c:66
crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
shash_async_setkey+0x47/0x60 crypto/shash.c:207
crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
hash_setkey+0x40/0x90 crypto/algif_hash.c:446
alg_setkey crypto/af_alg.c:221 [inline]
alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
