* refs/heads/tmp-bb418a1:
Linux 4.19.31
s390/setup: fix boot crash for machine without EDAT-1
bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
KVM: nVMX: Apply addr size mask to effective address for VMX instructions
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
KVM: x86/mmu: Detect MMIO generation wrap in any address space
KVM: Call kvm_arch_memslots_updated() before updating memslots
drm/amd/display: don't call dm_pp_ function from an fpu block
drm/amd/powerplay: correct power reading on fiji
drm/radeon/evergreen_cs: fix missing break in switch statement
drm/fb-helper: generic: Fix drm_fbdev_client_restore()
media: imx: csi: Stop upstream before disabling IDMA channel
media: imx: csi: Disable CSI immediately after last EOF
media: vimc: Add vimc-streamer for stream control
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
media: lgdt330x: fix lock status reporting
media: imx: prpencvf: Stop upstream before disabling IDMA channel
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
tpm: Unify the send callback behaviour
tpm/tpm_crb: Avoid unaligned reads in crb_recv()
md: Fix failed allocation of md_register_thread
perf intel-pt: Fix divide by zero when TSC is not available
perf/x86/intel/uncore: Fix client IMC events return huge result
perf intel-pt: Fix overlap calculation for padding
perf auxtrace: Define auxtrace record alignment
perf tools: Fix split_kallsyms_for_kcore() for trampoline symbols
perf intel-pt: Fix CYC timestamp calculation after OVF
x86/unwind/orc: Fix ORC unwind table alignment
vt: perform safe console erase in the right order
stable-kernel-rules.rst: add link to networking patch queue
bcache: never writeback a discard operation
PM / wakeup: Rework wakeup source timer cancellation
svcrpc: fix UDP on servers with lots of threads
NFSv4.1: Reinitialise sequence results before retransmitting a request
nfsd: fix wrong check in write_v4_end_grace()
nfsd: fix memory corruption caused by readdir
nfsd: fix performance-limiting session calculation
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
NFS: Fix an I/O request leakage in nfs_do_recoalesce
NFS: Fix I/O request leakages
cpcap-charger: generate events for userspace
mfd: sm501: Fix potential NULL pointer dereference
dm integrity: limit the rate of error messages
dm: fix to_sector() for 32bit
ipmi_si: fix use-after-free of resource->name
arm64: KVM: Fix architecturally invalid reset value for FPEXC32_EL2
arm64: debug: Ensure debug handlers check triggering exception level
arm64: Fix HCR.TGE status for NMI contexts
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
powerpc/traps: Fix the message printed when stack overflows
powerpc/traps: fix recoverability of machine check handling on book3s/32
powerpc/hugetlb: Don't do runtime allocation of 16G pages in LPAR configuration
powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning
powerpc: Fix 32-bit KVM-PR lockup and host crash with MacOS guest
powerpc/powernv: Don't reprogram SLW image on every KVM guest entry/exit
powerpc/83xx: Also save/restore SPRG4-7 during suspend
powerpc/powernv: Make opal log only readable by root
powerpc/wii: properly disable use of BATs when requested.
powerpc/32: Clear on-stack exception marker upon exception return
security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock
selinux: add the missing walk_size + len check in selinux_sctp_bind_connect
jbd2: fix compile warning when using JBUFFER_TRACE
jbd2: clear dirty flag when revoking a buffer from an older transaction
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
serial: 8250_pci: Fix number of ports for ACCES serial cards
serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
serial: uartps: Fix stuck ISR if RX disabled with non-empty FIFO
bpf: only test gso type on gso packets
drm/i915: Relax mmap VMA check
can: flexcan: FLEXCAN_IFLAG_MB: add () around macro argument
gpio: pca953x: Fix dereference of irq data in shutdown
media: i2c: ov5640: Fix post-reset delay
i2c: tegra: fix maximum transfer size
parport_pc: fix find_superio io compare code, should use equal test.
intel_th: Don't reference unassigned outputs
device property: Fix the length used in PROPERTY_ENTRY_STRING()
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
mm/memory.c: do_fault: avoid usage of stale vm_area_struct
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
mm: hwpoison: fix thp split handing in soft_offline_in_use_page()
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
usb: typec: tps6598x: handle block writes separately with plain-I2C adapters
usb: chipidea: tegra: Fix missed ci_hdrc_remove_device()
clk: ingenic: Fix doc of ingenic_cgu_div_info
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
clk: samsung: exynos5: Fix kfree() of const memory on setting driver_override
clk: samsung: exynos5: Fix possible NULL pointer exception on platform_device_alloc() failure
clk: clk-twl6040: Fix imprecise external abort for pdmclk
clk: uniphier: Fix update register for CPU-gear
ext2: Fix underflow in ext2_max_size()
cxl: Wrap iterations over afu slices inside 'afu_list_lock'
IB/hfi1: Close race condition on user context disable and close
PCI: dwc: skip MSI init if MSIs have been explicitly disabled
PCI/DPC: Fix print AER status in DPC event handling
PCI/ASPM: Use LTR if already enabled by platform
ext4: fix crash during online resizing
ext4: add mask of ext4 flags to swap
ext4: update quota information while swapping boot loader inode
ext4: cleanup pagecache before swap i_data
ext4: fix check of inode in swap_inode_boot_loader
cpufreq: pxa2xx: remove incorrect __init annotation
cpufreq: tegra124: add missing of_node_put()
cpufreq: kryo: Release OPP tables on module removal
x86/kprobes: Prohibit probing on optprobe template code
irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
irqchip/gic-v3-its: Avoid parsing _indirect_ twice for Device table
libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
soc: qcom: rpmh: Avoid accessing freed memory from batch API
Btrfs: fix corruption reading shared and compressed extents after hole punching
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
Btrfs: setup a nofs context for memory allocation at __btrfs_set_acl
Btrfs: setup a nofs context for memory allocation at btrfs_create_tree()
m68k: Add -ffreestanding to CFLAGS
ovl: Do not lose security.capability xattr over metadata file copy-up
ovl: During copy up, first copy up data and then xattrs
splice: don't merge into linked buffers
fs/devpts: always delete dcache dentry-s in dput()
scsi: qla2xxx: Fix LUN discovery if loop id is not assigned yet by firmware
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
scsi: sd: Optimal I/O size should be a multiple of physical block size
scsi: aacraid: Fix performance issue on logical drives
scsi: virtio_scsi: don't send sc payload with tmfs
s390/virtio: handle find on invalid queue gracefully
s390/setup: fix early warning messages
clocksource/drivers/arch_timer: Workaround for Allwinner A64 timer instability
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
regulator: s2mpa01: Fix step values for some LDOs
regulator: max77620: Initialize values for DT properties
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
spi: pxa2xx: Setup maximum supported DMA transfer length
spi: ti-qspi: Fix mmap read when more than one CS in use
netfilter: ipt_CLUSTERIP: fix warning unused variable cn
mmc:fix a bug when max_discard is 0
mmc: sdhci-esdhc-imx: fix HS400 timing issue
ACPI / device_sysfs: Avoid OF modalias creation for removed device
xen: fix dom0 boot on huge systems
tracing/perf: Use strndup_user() instead of buggy open-coded version
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
tracing: Use strncpy instead of memcpy for string keys in hist triggers
CIFS: Fix read after write for files with read caching
CIFS: Do not skip SMB2 message IDs on send failures
CIFS: Do not reset lease state to NONE on lease break
crypto: arm64/aes-ccm - fix bugs in non-NEON fallback routine
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
crypto: x86/morus - fix handling chunked inputs and MAY_SLEEP
crypto: x86/aesni-gcm - fix crash on empty plaintext
crypto: x86/aegis - fix handling chunked inputs and MAY_SLEEP
crypto: testmgr - skip crc32c context test for ahash algorithms
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
crypto: pcbc - remove bogus memcpy()s with src == dest
crypto: morus - fix handling chunked inputs
crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
crypto: arm64/crct10dif - revert to C code for short inputs
crypto: arm64/aes-neonbs - fix returning final keystream block
crypto: arm/crct10dif - revert to C code for short inputs
crypto: aegis - fix handling chunked inputs
crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
fix cgroup_do_mount() handling of failure exits
libnvdimm: Fix altmap reservation size calculation
libnvdimm/pmem: Honor force_raw for legacy pmem regions
libnvdimm, pfn: Fix over-trim in trim_pfn_device()
libnvdimm/label: Clear 'updating' flag after label-set update
nfit/ars: Attempt short-ARS even in the no_init_ars case
nfit/ars: Attempt a short-ARS whenever the ARS state is idle at boot
acpi/nfit: Fix bus command validation
nfit: acpi_nfit_ctl(): Check out_obj->type in the right place
stm class: Prevent division by zero
tmpfs: fix uninitialized return value in shmem_link
selftests: fib_tests: sleep after changing carrier. again.
net: set static variable an initial value in atl2_probe()
bnxt_en: Wait longer for the firmware message response to complete.
bnxt_en: Fix typo in firmware message timeout logic.
nfp: bpf: fix ALU32 high bits clearance bug
nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K
net: thunderx: add nicvf_send_msg_to_pf result check for set_rx_mode_task
net: thunderx: make CFG_DONE message to run through generic send-ack sequence
bpf, lpm: fix lookup bug in map_delete_elem
mac80211_hwsim: propagate genlmsg_reply return code
phonet: fix building with clang
ARCv2: don't assume core 0x54 has dual issue
ARCv2: support manual regfile save on interrupts
ARC: uacces: remove lp_start, lp_end from clobber list
ARCv2: lib: memcpy: fix doing prefetchw outside of buffer
ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN
tmpfs: fix link accounting when a tmpfile is linked in
mm: handle lru_add_drain_all for UP properly
net: marvell: mvneta: fix DMA debug warning
ARM: tegra: Restore DT ABI on Tegra124 Chromebooks
arm64: Relax GIC version check during early boot
ARM: dts: armada-xp: fix Armada XP boards NAND description
qed: Fix iWARP syn packet mac address validation.
qed: Fix iWARP buffer size provided for syn packet processing.
ASoC: topology: free created components in tplg load error
mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
xfrm: Fix inbound traffic via XFRM interfaces across network namespaces
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
qmi_wwan: apply SET_DTR quirk to Sierra WP7607
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
net: dsa: bcm_sf2: Do not assume DSA master supports WoL
net: systemport: Fix reception of BPDUs
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
keys: Fix dependency loop between construction record and auth key
assoc_array: Fix shortcut creation
ARM: 8835/1: dma-mapping: Clear DMA ops on teardown
af_key: unconditionally clone on broadcast
bpf: fix lockdep false positive in stackmap
bpf: only adjust gso_size on bytestream protocols
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
esp: Skip TX bytes accounting when sending from a request socket
clk: sunxi: A31: Fix wrong AHB gate number
kallsyms: Handle too long symbols in kallsyms.c
clk: sunxi-ng: v3s: Fix TCON reset de-assert bit
Input: st-keyscan - fix potential zalloc NULL dereference
auxdisplay: ht16k33: fix potential user-after-free on module unload
i2c: bcm2835: Clear current buffer pointers and counts after a transfer
i2c: cadence: Fix the hold bit setting
net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
x86/CPU: Add Icelake model number
net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd
Revert "mm: use early_pfn_to_nid in page_ext_init"
mm/gup: fix gup_pmd_range() for dax
NFS: Don't use page_file_mapping after removing the page
xprtrdma: Make sure Send CQ is allocated on an existing compvec
floppy: check_events callback should not return a negative number
ipvs: fix dependency on nf_defrag_ipv6
blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue
netfilter: compat: initialize all fields in xt_init
mac80211: Fix Tx aggregation session tear down with ITXQs
mac80211: call drv_ibss_join() on restart
Input: matrix_keypad - use flush_delayed_work()
Input: ps2-gpio - flush TX work when closing port
Input: cap11xx - switch to using set_brightness_blocking()
ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
ASoC: samsung: Prevent clk_get_rate() calls in atomic context
KVM: arm64: Forbid kprobing of the VHE world-switch code
KVM: arm/arm64: vgic: Always initialize the group of private IRQs
arm/arm64: KVM: Don't panic on failure to properly reset system registers
arm/arm64: KVM: Allow a VCPU to fully reset itself
KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded
ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check
ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables
ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
ARM: dts: Configure clock parent for pwm vibra
Input: pwm-vibra - stop regulator after disabling pwm, not before
Input: pwm-vibra - prevent unbalanced regulator
s390/dasd: fix using offset into zero size array error
arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and excavator
KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock
clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting
ASoC: rt5682: Correct the setting while select ASRC clk for AD/DA filter
gpu: ipu-v3: Fix CSI offsets for imx53
drm/imx: imx-ldb: add missing of_node_puts
gpu: ipu-v3: Fix i.MX51 CSI control registers offset
drm/imx: ignore plane updates on disabled crtcs
crypto: rockchip - update new iv to device in multiple operations
crypto: rockchip - fix scatterlist nents error
crypto: ahash - fix another early termination in hash walk
crypto: cfb - remove bogus memcpy() with src == dest
crypto: cfb - add missing 'chunksize' property
crypto: ccree - don't copy zero size ciphertext
crypto: ccree - unmap buffer before copying IV
crypto: ccree - fix free of unallocated mlli buffer
crypto: caam - fix DMA mapping of stack memory
crypto: caam - fixed handling of sg list
crypto: ccree - fix missing break in switch statement
crypto: caam - fix hash context DMA unmap size
stm class: Fix an endless loop in channel allocation
mei: bus: move hw module get/put to probe/release
mei: hbm: clean the feature flags on link reset
iio: adc: exynos-adc: Fix NULL pointer exception on unbind
ASoC: codecs: pcm186x: Fix energysense SLEEP bit
ASoC: codecs: pcm186x: fix wrong usage of DECLARE_TLV_DB_SCALE()
ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
9p/net: fix memory leak in p9_client_create
9p: use inode->i_lock to protect i_size_write() under 32-bit
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
ANDROID: cuttlefish_defconfig: Enable CONFIG_INPUT_MOUSEDEV
FROMLIST: psi: introduce psi monitor
FROMLIST: refactor header includes to allow kthread.h inclusion in psi_types.h
FROMLIST: psi: track changed states
FROMLIST: psi: split update_stats into parts
FROMLIST: psi: rename psi fields in preparation for psi trigger addition
FROMLIST: psi: make psi_enable static
FROMLIST: psi: introduce state_mask to represent stalled psi states
ANDROID: cuttlefish_defconfig: Enable CONFIG_PSI
UPSTREAM: kernel: cgroup: add poll file operation
UPSTREAM: fs: kernfs: add poll file operation
UPSTREAM: psi: avoid divide-by-zero crash inside virtual machines
UPSTREAM: psi: clarify the Kconfig text for the default-disable option
UPSTREAM: psi: fix aggregation idle shut-off
UPSTREAM: psi: fix reference to kernel commandline enable
UPSTREAM: psi: make disabling/enabling easier for vendor kernels
UPSTREAM: kernel/sched/psi.c: simplify cgroup_move_task()
UPSTREAM: psi: cgroup support
UPSTREAM: psi: pressure stall information for CPU, memory, and IO
UPSTREAM: sched: introduce this_rq_lock_irq()
UPSTREAM: sched: sched.h: make rq locking and clock functions available in stats.h
UPSTREAM: sched: loadavg: make calc_load_n() public
BACKPORT: sched: loadavg: consolidate LOAD_INT, LOAD_FRAC, CALC_LOAD
UPSTREAM: delayacct: track delays from thrashing cache pages
UPSTREAM: mm: workingset: tell cache transitions from workingset thrashing
Conflicts:
arch/arm/kernel/irq.c
drivers/scsi/sd.c
include/linux/sched.h
init/Kconfig
kernel/sched/Makefile
kernel/sched/sched.h
kernel/workqueue.c
sound/soc/soc-dapm.c
Change-Id: Ia2dcc01c712134c57037ca6788d51172f66bcd93
Signed-off-by: Ivaylo Georgiev <irgeorgiev@codeaurora.org>
commit ba7d7433a0e998c902132bd47330e355a1eaa894 upstream.
Some algorithms have a ->setkey() method that is not atomic, in the
sense that setting a key can fail after changes were already made to the
tfm context. In this case, if a key was already set the tfm can end up
in a state that corresponds to neither the old key nor the new key.
It's not feasible to make all ->setkey() methods atomic, especially ones
that have to key multiple sub-tfms. Therefore, make the crypto API set
CRYPTO_TFM_NEED_KEY if ->setkey() fails and the algorithm requires a
key, to prevent the tfm from being used until a new key is set.
Note: we can't set CRYPTO_TFM_NEED_KEY for OPTIONAL_KEY algorithms, so
->setkey() for those must nevertheless be atomic. That's fine for now
since only the crc32 and crc32c algorithms set OPTIONAL_KEY, and it's
not intended that OPTIONAL_KEY be used much.
[Cc stable mainly because when introducing the NEED_KEY flag I changed
AF_ALG to rely on it; and unlike in-kernel crypto API users, AF_ALG
previously didn't have this problem. So these "incompletely keyed"
states became theoretically accessible via AF_ALG -- though, the
opportunities for causing real mischief seem pretty limited.]
Fixes: 9fa68f6200 ("crypto: hash - prevent using keyed hashes without setting key")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In the quest to remove all stack VLA usage from the kernel[1], this uses
the newly defined max alignment to perform unaligned hashing to avoid
VLAs, and drops the helper function while adding sanity checks on the
resulting buffer sizes. Additionally, the __aligned_largest macro is
removed since this helper was the only user.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Change-Id: I5ac3bcad06454601823f8b69d6c08288285800e9
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-Commit: f3569fd613f669c95ad187208ad281995f30cc2a
Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
In the quest to remove all stack VLA usage from the kernel[1], this
removes the VLAs in SHASH_DESC_ON_STACK (via crypto_shash_descsize())
by using the maximum allowable size (which is now more clearly captured
in a macro), along with a few other cases. Similar limits are turned into
macros as well.
A review of existing sizes shows that SHA512_DIGEST_SIZE (64) is the
largest digest size and that sizeof(struct sha3_state) (360) is the
largest descriptor size. The corresponding maximums are reduced.
[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
Change-Id: I5281cc251f49e9c7d9761f7ec7217dd08588c26d
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Git-Repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-Commit: b68a7ec1e9a3efac53ae26a1658a553825a2375c
Signed-off-by: Rishabh Bhatnagar <rishabhb@codeaurora.org>
Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding. Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.
A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool. However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed. Examples of this include:
- KEYCTL_DH_COMPUTE, via the KDF extension
- dm-verity
- dm-crypt, via the ESSIV support
- dm-integrity, via the "internal hash" mode with no key given
- drbd (Distributed Replicated Block Device)
This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.
Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not. Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.
The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Because the HMAC template didn't check that its underlying hash
algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
being used without having been keyed, resulting in sha3_update() being
called without sha3_init(), causing a stack buffer overflow.
This is a very old bug, but it seems to have only started causing real
problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
because the innermost hash's state is ->import()ed from a zeroed buffer,
and it just so happens that other hash algorithms are fine with that,
but SHA-3 is not. However, there could be arch or hardware-dependent
hash algorithms also affected; I couldn't test everything.
Fix the bug by introducing a function crypto_shash_alg_has_setkey()
which tests whether a shash algorithm is keyed. Then update the HMAC
template to require that its underlying hash algorithm is unkeyed.
Here is a reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
int main()
{
int algfd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "hmac(hmac(sha3-512-generic))",
};
char key[4096] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
}
Here was the KASAN report from syzbot:
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memcpy+0x37/0x50 mm/kasan/kasan.c:303
memcpy include/linux/string.h:341 [inline]
sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
crypto_shash_update+0xcb/0x220 crypto/shash.c:109
shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
hmac_finup+0x182/0x330 crypto/hmac.c:152
crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
hmac_setkey+0x36a/0x690 crypto/hmac.c:66
crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
shash_async_setkey+0x47/0x60 crypto/shash.c:207
crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
hash_setkey+0x40/0x90 crypto/algif_hash.c:446
alg_setkey crypto/af_alg.c:221 [inline]
alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
The shash ahash digest adaptor function may crash if given a
zero-length input together with a null SG list. This is because
it tries to read the SG list before looking at the length.
This patch fixes it by checking the length first.
Cc: <stable@vger.kernel.org>
Reported-by: Stephan Müller<smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Stephan Müller <smueller@chronox.de>
The SCTP program may sleep under a spinlock, and the function call path is:
sctp_generate_t3_rtx_event (acquire the spinlock)
sctp_do_sm
sctp_side_effects
sctp_cmd_interpreter
sctp_make_init_ack
sctp_pack_cookie
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
For the same reason, the orinoco driver may sleep in interrupt handler,
and the function call path is:
orinoco_rx_isr_tasklet
orinoco_rx
orinoco_mic
crypto_shash_setkey
shash_setkey_unaligned
kmalloc(GFP_KERNEL)
To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool and my code review.
Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Continuing from this commit: 52f5684c8e
("kernel: use macros from compiler.h instead of __attribute__((...))")
I submitted 4 total patches. They are part of task I've taken up to
increase compiler portability in the kernel. I've cleaned up the
subsystems under /kernel /mm /block and /security, this patch targets
/crypto.
There is <linux/compiler.h> which provides macros for various gcc specific
constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
instances of gcc specific attributes with the right macros for the crypto
subsystem.
I had to make one additional change into compiler-gcc.h for the case when
one wants to use this: __attribute__((aligned) and not specify an alignment
factor. From the gcc docs, this will result in the largest alignment for
that data type on the target machine so I've named the macro
__aligned_largest. Please advise if another name is more appropriate.
Signed-off-by: Gideon Israel Dsouza <gidisrael@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Pull crypto update from Herbert Xu:
"Here is the crypto update for 4.6:
API:
- Convert remaining crypto_hash users to shash or ahash, also convert
blkcipher/ablkcipher users to skcipher.
- Remove crypto_hash interface.
- Remove crypto_pcomp interface.
- Add crypto engine for async cipher drivers.
- Add akcipher documentation.
- Add skcipher documentation.
Algorithms:
- Rename crypto/crc32 to avoid name clash with lib/crc32.
- Fix bug in keywrap where we zero the wrong pointer.
Drivers:
- Support T5/M5, T7/M7 SPARC CPUs in n2 hwrng driver.
- Add PIC32 hwrng driver.
- Support BCM6368 in bcm63xx hwrng driver.
- Pack structs for 32-bit compat users in qat.
- Use crypto engine in omap-aes.
- Add support for sama5d2x SoCs in atmel-sha.
- Make atmel-sha available again.
- Make sahara hashing available again.
- Make ccp hashing available again.
- Make sha1-mb available again.
- Add support for multiple devices in ccp.
- Improve DMA performance in caam.
- Add hashing support to rockchip"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (116 commits)
crypto: qat - remove redundant arbiter configuration
crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()
crypto: atmel - fix checks of error code returned by devm_ioremap_resource()
crypto: qat - Change the definition of icp_qat_uof_regtype
hwrng: exynos - use __maybe_unused to hide pm functions
crypto: ccp - Add abstraction for device-specific calls
crypto: ccp - CCP versioning support
crypto: ccp - Support for multiple CCPs
crypto: ccp - Remove check for x86 family and model
crypto: ccp - memset request context to zero during import
lib/mpi: use "static inline" instead of "extern inline"
lib/mpi: avoid assembler warning
hwrng: bcm63xx - fix non device tree compatibility
crypto: testmgr - allow rfc3686 aes-ctr variants in fips mode.
crypto: qat - The AE id should be less than the maximal AE number
lib/mpi: Endianness fix
crypto: rockchip - add hash support for crypto engine in rk3288
crypto: xts - fix compile errors
crypto: doc - add skcipher API documentation
crypto: doc - update AEAD AD handling
...
This patch removes all traces of the crypto_hash interface, now
that everyone has switched over to shash or ahash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
The has_key logic is wrong for shash algorithms as they always
have a setkey function. So we should instead be testing against
shash_no_setkey.
Fixes: a5596d6332 ("crypto: hash - Add crypto_ahash_has_setkey")
Cc: stable@vger.kernel.org
Reported-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Stephan Mueller <smueller@chronox.de>
This patch adds a way for ahash users to determine whether a key
is required by a crypto_ahash transform.
Cc: stable@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
__attribute__((aligned)) applies the default alignment for the largest scalar
type for the target ABI. gcc allows it to be applied inline to a defined type.
Clang only allows it to be applied to a type definition (PR11071).
Making it into 2 lines makes it more readable and works with both compilers.
Author: Mark Charlebois <charlebm@gmail.com>
Signed-off-by: Mark Charlebois <charlebm@gmail.com>
Signed-off-by: Behan Webster <behanw@converseincode.com>
Three errors resulting in kernel memory disclosure:
1/ The structures used for the netlink based crypto algorithm report API
are located on the stack. As snprintf() does not fill the remainder of
the buffer with null bytes, those stack bytes will be disclosed to users
of the API. Switch to strncpy() to fix this.
2/ crypto_report_one() does not initialize all field of struct
crypto_user_alg. Fix this to fix the heap info leak.
3/ For the module name we should copy only as many bytes as
module_name() returns -- not as much as the destination buffer could
hold. But the current code does not and therefore copies random data
from behind the end of the module name, as the module name is always
shorter than CRYPTO_MAX_ALG_NAME.
Also switch to use strncpy() to copy the algorithm's name and
driver_name. They are strings, after all.
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Add crypto_[un]register_shashes() to allow simplifying init/exit code of shash
crypto modules that register multiple algorithms.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.
Signed-off-by: David S. Miller <davem@davemloft.net>
The report functions use NLA_PUT so we need to ensure that NET
is enabled.
Reported-by: Luis Henriques <henrix@camandro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
The function shash_async_import did not initialise the descriptor
correctly prior to calling the underlying shash import function.
This patch adds the required initialisation.
Reported-by: Miloslav Trmac <mitr@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
The macro CRYPTO_MINALIGN is not meant to be used directly. This
patch replaces it with crypto_tfm_ctx_alignment.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
crypto_init_shash_ops_async() tests for setkey and not for import
before exporting the algorithms import function to ahash.
This patch fixes this.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch provides a default export/import function for all
shash algorithms. It simply copies the descriptor context as
is done by sha1_generic.
This in essence means that all existing shash algorithms now
support export/import. This is something that will be depended
upon in implementations such as hmac. Therefore all new shash
and ahash implementations must support export/import.
For those that cannot obtain a partial result, padlock-sha's
fallback model should be used so that a partial result is always
available.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When shash_ahash_finup encounters a null request, we end up not
calling the underlying final function. This patch fixes that.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch exports the finup operation where available and adds
a default finup operation for ahash. The operations final, finup
and digest also will now deal with unaligned result pointers by
copying it. Finally export/import operations are will now be
exported too.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When we encounter an unaligned pointer we are supposed to copy
it to a temporary aligned location. However the temporary buffer
isn't aligned properly. This patch fixes that.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Some unaligned buffers on the stack weren't zapped properly which
may cause secret data to be leaked. This patch fixes them by doing
a zero memset.
It is also possible for us to place random kernel stack contents
in the digest buffer if a digest operation fails. This is fixed
by only copying if the operation succeeded.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Now that all ahash implementations have been converted to the new
ahash type, we can remove old_ahash_alg and its associated support.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch converts crypto_ahash to the new style. The old ahash
algorithm type is retained until the existing ahash implementations
are also converted. All ahash users will automatically get the
new crypto_ahash type.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
As the extsize and init_tfm functions belong to the frontend the
frontend argument is superfluous.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch exports the async functions so that they can be reused
by cryptd when it switches over to using shash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch changes descsize to a run-time attribute so that
implementations can change it in their init functions.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch moves the run-time null setkey check to shash_prepare_alg
just like we did for finup/digest.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch moves the run-time null finup/digest checks to the
shash_prepare_alg function which is run at registration time.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch replaces the full descriptor export with an export of
the partial hash state. This allows the use of a consistent export
format across all implementations of a given algorithm.
This is useful because a number of cases require the use of the
partial hash state, e.g., PadLock can use the SHA1 hash state
to get around the fact that it can only hash contiguous data
chunks.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds shash_register_instance so that shash instances
can be registered without bypassing the shash checks applied to
normal algorithms.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds the helper shash_attr_alg2 which locates a shash
algorithm based on the information in the given attribute.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds the functions needed to create and use shash
spawns, i.e., to use shash algorithms in a template.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch adds shash_instance and the associated alloc/free
functions. This is meant to be an instance that with a shash
algorithm under it. Note that the instance itself doesn't have
to be shash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
When the total length is shorter than the calculated number of unaligned bytes, the call to shash->update breaks. For example, calling crc32c on unaligned buffer with length of 1 can result in a system crash.
Signed-off-by: Yehuda Sadeh <yehuda@hq.newdream.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This is based on a report and patch by Geert Uytterhoeven.
The functions crypto_alloc_tfm and create_create_tfm return a
pointer that needs to be adjusted by the caller when successful
and otherwise an error value. This means that the caller has
to check for the error and only perform the adjustment if the
pointer returned is valid.
Since all callers want to make the adjustment and we know how
to adjust it ourselves, it's much easier to just return adjusted
pointer directly.
The only caveat is that we have to return a void * instead of
struct crypto_tfm *. However, this isn't that bad because both
of these functions are for internal use only (by types code like
shash.c, not even algorithms code).
This patch also moves crypto_alloc_tfm into crypto/internal.h
(crypto_create_tfm is already there) to reflect this.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
We're currently checking the frontend type in init_tfm. This is
completely pointless because the fact that we're called at all
means that the frontend is ours so the type must match as well.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Module reference counting for shash is incorrect: when
a new shash transformation is created the refcount is not
increased as it should.
Signed-off-by: Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Since most cryptographic hash algorithms have no keys, this patch
makes the setkey function optional for ahash and shash.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
This patch allows shash algorithms to be used through the old hash
interface. This is a transitional measure so we can convert the
underlying algorithms to shash before converting the users across.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
It is often useful to save the partial state of a hash function
so that it can be used as a base for two or more computations.
The most prominent example is HMAC where all hashes start from
a base determined by the key. Having an import/export interface
means that we only have to compute that base once rather than
for each message.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
