Eric Lee / smarc-fsl-linux-kernel

18 Aug, 2018

2 commits

  • 7e179bffb   crypto: skcipher - fix crash flushing dcache in error path ... Browse Code »

    commit 8088d3dd4d7c6933a65aa169393b5d88d8065672 upstream.

    scatterwalk_done() is only meant to be called after a nonzero number of
    bytes have been processed, since scatterwalk_pagedone() will flush the
    dcache of the *previous* page. But in the error case of
    skcipher_walk_done(), e.g. if the input wasn't an integer number of
    blocks, scatterwalk_done() was actually called after advancing 0 bytes.
    This caused a crash ("BUG: unable to handle kernel paging request")
    during '!PageSlab(page)' on architectures like arm and arm64 that define
    ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
    page-aligned as in that case walk->offset == 0.

    Fix it by reorganizing skcipher_walk_done() to skip the
    scatterwalk_advance() and scatterwalk_done() if an error has occurred.

    This bug was found by syzkaller fuzzing.

    Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:

    #include
    #include
    #include

    int main()
    {
    struct sockaddr_alg addr = {
    .salg_type = "skcipher",
    .salg_name = "cbc(aes-generic)",
    };
    char buffer[4096] __attribute__((aligned(4096))) = { 0 };
    int fd;

    fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
    bind(fd, (void *)&addr, sizeof(addr));
    setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
    fd = accept(fd, NULL, NULL);
    write(fd, buffer, 15);
    read(fd, buffer, 15);
    }

    Reported-by: Liu Chao
    Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
    Cc: # v4.10+
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Eric Biggers
     
  • 0f2981ee0   crypto: skcipher - fix aligning block size in skcipher_copy_iv() ... Browse Code »

    commit 0567fc9e90b9b1c8dbce8a5468758e6206744d4a upstream.

    The ALIGN() macro needs to be passed the alignment, not the alignmask
    (which is the alignment minus 1).

    Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
    Cc: # v4.10+
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Eric Biggers
     

30 Dec, 2017

1 commit

  • 29082870f   crypto: skcipher - set walk.iv for zero-length inputs ... Browse Code »

    commit 2b4f27c36bcd46e820ddb9a8e6fe6a63fa4250b8 upstream.

    All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
    algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
    before checking whether any bytes need to be processed (walk.nbytes).

    But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
    and the algorithms crash trying to use the uninitialized IV pointer.

    Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it
    for the AEAD walk functions.

    This isn't a perfect solution because we can't actually align the IV to
    ->cra_alignmask unless there are bytes to process, for one because the
    temporary buffer for the aligned IV is freed by skcipher_walk_done(),
    which is only called when there are bytes to process. Thus, algorithms
    that require aligned IVs will still need to avoid accessing the IV when
    walk.nbytes == 0. Still, many algorithms/architectures are fine with
    IVs having any alignment, and even for those that aren't, a misaligned
    pointer bug is much less severe than an uninitialized pointer bug.

    This change also matches the behavior of the older blkcipher_walk API.

    Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
    Reported-by: syzbot
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Eric Biggers
     

05 Dec, 2017

1 commit

  • 861eae231   crypto: skcipher - Fix skcipher_walk_aead_common ... Browse Code »

    commit c14ca8386539a298c1c19b003fe55e37d0f0e89c upstream.

    The skcipher_walk_aead_common function calls scatterwalk_copychunks on
    the input and output walks to skip the associated data. If the AD end
    at an SG list entry boundary, then after these calls the walks will
    still be pointing to the end of the skipped region.

    These offsets are later checked for alignment in skcipher_walk_next,
    so the skcipher_walk may detect the alignment incorrectly.

    This patch fixes it by calling scatterwalk_done after the copychunks
    calls to ensure that the offsets refer to the right SG list entry.

    Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk interface")
    Signed-off-by: Ondrej Mosnacek
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Ondrej Mosnáček
     

07 Oct, 2017

1 commit

  • 0cabf2af6   crypto: skcipher - Fix crash on zero-length input ... Browse Code »

    The skcipher walk interface doesn't handle zero-length input
    properly as the old blkcipher walk interface did. This is due
    to the fact that the length check is done too late.

    This patch moves the length check forward so that it does the
    right thing.

    Fixes: b286d8b1a690 ("crypto: skcipher - Add skcipher walk...")
    Cc:
    Reported-by: Stephan Müller
    Signed-off-by: Herbert Xu

    Herbert Xu
     

18 May, 2017

1 commit

13 Jan, 2017

1 commit

  • d8c34b949   crypto: Replaced gcc specific attributes with macros from compiler.h ... Browse Code »

    Continuing from this commit: 52f5684c8e1e
    ("kernel: use macros from compiler.h instead of __attribute__((...))")

    I submitted 4 total patches. They are part of task I've taken up to
    increase compiler portability in the kernel. I've cleaned up the
    subsystems under /kernel /mm /block and /security, this patch targets
    /crypto.

    There is which provides macros for various gcc specific
    constructs. Eg: __weak for __attribute__((weak)). I've cleaned all
    instances of gcc specific attributes with the right macros for the crypto
    subsystem.

    I had to make one additional change into compiler-gcc.h for the case when
    one wants to use this: __attribute__((aligned) and not specify an alignment
    factor. From the gcc docs, this will result in the largest alignment for
    that data type on the target machine so I've named the macro
    __aligned_largest. Please advise if another name is more appropriate.

    Signed-off-by: Gideon Israel Dsouza
    Signed-off-by: Herbert Xu

    Gideon Israel Dsouza
     

30 Dec, 2016

1 commit

  • c821f6ab2   crypto: skcipher - introduce walksize attribute for SIMD algos ... Browse Code »

    In some cases, SIMD algorithms can only perform optimally when
    allowed to operate on multiple input blocks in parallel. This is
    especially true for bit slicing algorithms, which typically take
    the same amount of time processing a single block or 8 blocks in
    parallel. However, other SIMD algorithms may benefit as well from
    bigger strides.

    So add a walksize attribute to the skcipher algorithm definition, and
    wire it up to the skcipher walk API. To avoid confusion between the
    skcipher and AEAD attributes, rename the skcipher_walk chunksize
    attribute to 'stride', and set it from the walksize (in the skcipher
    case) or from the chunksize (in the AEAD case).

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

14 Dec, 2016

1 commit

  • 18e615ad8   crypto: skcipher - fix crash in virtual walk ... Browse Code »

    The new skcipher walk API may crash in the following way. (Interestingly,
    the tcrypt boot time tests seem unaffected, while an explicit test using
    the module triggers it)

    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    ...
    [] __memcpy+0x84/0x180
    [] skcipher_walk_done+0x328/0x340
    [] ctr_encrypt+0x84/0x100
    [] simd_skcipher_encrypt+0x88/0x98
    [] crypto_rfc3686_crypt+0x8c/0x98
    [] test_skcipher_speed+0x518/0x820 [tcrypt]
    [] do_test+0x1408/0x3b70 [tcrypt]
    [] tcrypt_mod_init+0x50/0x1000 [tcrypt]
    [] do_one_initcall+0x44/0x138
    [] do_init_module+0x68/0x1e0
    [] load_module+0x1fd0/0x2458
    [] SyS_finit_module+0xe0/0xf0
    [] el0_svc_naked+0x24/0x28

    This is due to the fact that skcipher_done_slow() may be entered with
    walk->buffer unset. Since skcipher_walk_done() already deals with the
    case where walk->buffer == walk->page, it appears to be the intention
    that walk->buffer point to walk->page after skcipher_next_slow(), so
    ensure that is the case.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

01 Dec, 2016

1 commit

30 Nov, 2016

1 commit

  • 3cbf61fb9   crypto: skcipher - fix crash in skcipher_walk_aead() ... Browse Code »

    The new skcipher_walk_aead() may crash in the following way due to
    the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
    walk:

    Unable to handle kernel NULL pointer dereference at virtual address 00000001
    [..]
    Internal error: Oops: 96000044 [#1] PREEMPT SMP
    [..]
    PC is at skcipher_walk_next+0x208/0x450
    LR is at skcipher_walk_next+0x1e4/0x450
    pc : [] lr : [] pstate: 40000045
    sp : ffffb925fa517940
    [...]
    [] skcipher_walk_next+0x208/0x450
    [] skcipher_walk_first+0x54/0x148
    [] skcipher_walk_aead+0xd4/0x108
    [] ccm_encrypt+0x68/0x158

    So clear the flag at the appropriate time.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

28 Nov, 2016

1 commit

18 Jul, 2016

2 commits

  • 3a01d0ee2   crypto: skcipher - Remove top-level givcipher interface ... Browse Code »

    This patch removes the old crypto_grab_skcipher helper and replaces
    it with crypto_grab_skcipher2.

    As this is the final entry point into givcipher this patch also
    removes all traces of the top-level givcipher interface, including
    all implicit IV generators such as chainiv.

    The bottom-level givcipher interface remains until the drivers
    using it are converted.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • 4e6c3df4d   crypto: skcipher - Add low-level skcipher interface ... Browse Code »

    This patch allows skcipher algorithms and instances to be created
    and registered with the crypto API. They are accessible through
    the top-level skcipher interface, along with ablkcipher/blkcipher
    algorithms and instances.

    This patch also introduces a new parameter called chunk size
    which is meant for ciphers such as CTR and CTS which ostensibly
    can handle arbitrary lengths, but still behave like block ciphers
    in that you can only process a partial block at the very end.

    For these ciphers the block size will continue to be set to 1
    as it is now while the chunk size will be set to the underlying
    block size.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

25 Jan, 2016

1 commit

  • 973fb3fb5   crypto: skcipher - Add default key size helper ... Browse Code »

    While converting ecryptfs over to skcipher I found that it needs
    to pick a default key size if one isn't given. Rather than having
    it poke into the guts of the algorithm to get max_keysize, let's
    provide a helper that is meant to give a sane default (just in
    case we ever get an algorithm that has no maximum key size).

    Signed-off-by: Herbert Xu

    Herbert Xu
     

18 Jan, 2016

1 commit

01 Oct, 2015

1 commit

21 Aug, 2015

1 commit

  • 7a7ffe65c   crypto: skcipher - Add top-level skcipher interface ... Browse Code »

    This patch introduces the crypto skcipher interface which aims
    to replace both blkcipher and ablkcipher.

    It's very similar to the existing ablkcipher interface. The
    main difference is the removal of the givcrypt interface. In
    order to make the transition easier for blkcipher users, there
    is a helper SKCIPHER_REQUEST_ON_STACK which can be used to place
    a request on the stack for synchronous transforms.

    Signed-off-by: Herbert Xu

    Herbert Xu