09 Jun, 2017

1 commit


23 Feb, 2017

1 commit


15 Feb, 2017

1 commit

  • commit 0b529f143e8baad441a5aac9ad55ec2434d8fb46 upstream.

    Kernel panics when userspace program try to access AEAD interface.
    Remove node from Linked List before freeing its memory.

    Signed-off-by: Harsh Jain
    Reviewed-by: Stephan Müller
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Harsh Jain
     

09 Feb, 2017

1 commit


11 Dec, 2016

1 commit

  • Pull crypto fixes from Herbert Xu:
    "This fixes the following issues:

    - Fix pointer size when caam is used with AArch64 boot loader on
    AArch32 kernel.

    - Fix ahash state corruption in marvell driver.

    - Fix buggy algif_aed tag handling.

    - Prevent mcryptd from being used with incompatible algorithms which
    can cause crashes"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
    crypto: algif_aead - fix uninitialized variable warning
    crypto: mcryptd - Check mcryptd algorithm compatibility
    crypto: algif_aead - fix AEAD tag memory handling
    crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel
    crypto: marvell - Don't corrupt state of an STD req for re-stepped ahash
    crypto: marvell - Don't copy hash operation twice into the SRAM

    Linus Torvalds
     

08 Dec, 2016

1 commit


07 Dec, 2016

2 commits

  • Algorithms not compatible with mcryptd could be spawned by mcryptd
    with a direct crypto_alloc_tfm invocation using a "mcryptd(alg)" name
    construct. This causes mcryptd to crash the kernel if an arbitrary
    "alg" is incompatible and not intended to be used with mcryptd. It is
    an issue if AF_ALG tries to spawn mcryptd(alg) to expose it externally.
    But such algorithms must be used internally and not be exposed.

    We added a check to enforce that only internal algorithms are allowed
    with mcryptd at the time mcryptd is spawning an algorithm.

    Link: http://marc.info/?l=linux-crypto-vger&m=148063683310477&w=2
    Cc: stable@vger.kernel.org
    Reported-by: Mikulas Patocka
    Signed-off-by: Tim Chen
    Signed-off-by: Herbert Xu

    Tim
     
  • For encryption, the AEAD ciphers require AAD || PT as input and generate
    AAD || CT || Tag as output and vice versa for decryption. Prior to this
    patch, the AF_ALG interface for AEAD ciphers requires the buffer to be
    present as input for encryption. Similarly, the output buffer for
    decryption required the presence of the tag buffer too. This implies
    that the kernel reads / writes data buffers from/to kernel space
    even though this operation is not required.

    This patch changes the AF_ALG AEAD interface to be consistent with the
    in-kernel AEAD cipher requirements.

    Due to this handling, he changes are transparent to user space with one
    exception: the return code of recv indicates the mount of output buffer.
    That output buffer has a different size compared to before the patch
    which implies that the return code of recv will also be different.
    For example, a decryption operation uses 16 bytes AAD, 16 bytes CT and
    16 bytes tag, the AF_ALG AEAD interface before showed a recv return
    code of 48 (bytes) whereas after this patch, the return code is 32
    since the tag is not returned any more.

    Reported-by: Mat Martineau
    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     

06 Dec, 2016

1 commit


30 Nov, 2016

2 commits

  • Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
    should explicitly depend on them.

    Signed-off-by: David Michael
    Signed-off-by: Herbert Xu

    David Michael
     
  • When using SGs, only heap memory (memory that is valid as per
    virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
    reference the caller-provided memory directly in an SG. In case the
    caller provided stack memory pointers, the SG mapping is not considered
    to be valid. In some cases, this would even cause a paging fault.

    The change adds a new scratch buffer that is used unconditionally to
    catch the cases where the caller-provided buffer is not suitable for
    use in an SG. The crypto operation of the CTR DRBG produces its output
    with that scratch buffer and finally copies the content of the
    scratch buffer to the caller's buffer.

    The scratch buffer is allocated during allocation time of the CTR DRBG
    as its access is protected with the DRBG mutex.

    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     

25 Nov, 2016

1 commit

  • We shouldn't free cert->pub->key in x509_cert_parse() because
    x509_free_certificate() also does this:
    BUG: Double free or freeing an invalid pointer
    ...
    Call Trace:
    [] dump_stack+0x63/0x83
    [] kasan_object_err+0x21/0x70
    [] kasan_report_double_free+0x49/0x60
    [] kasan_slab_free+0x9d/0xc0
    [] kfree+0x8a/0x1a0
    [] public_key_free+0x1f/0x30
    [] x509_free_certificate+0x24/0x90
    [] x509_cert_parse+0x2bc/0x300
    [] x509_key_preparse+0x3e/0x330
    [] asymmetric_key_preparse+0x6f/0x100
    [] key_create_or_update+0x260/0x5f0
    [] SyS_add_key+0x199/0x2a0
    [] entry_SYSCALL_64_fastpath+0x1e/0xad
    Object at ffff880110bd1900, in cache kmalloc-512 size: 512
    ....
    Freed:
    PID = 2579
    [] save_stack_trace+0x1b/0x20
    [] save_stack+0x46/0xd0
    [] kasan_slab_free+0x73/0xc0
    [] kfree+0x8a/0x1a0
    [] x509_cert_parse+0x2a3/0x300
    [] x509_key_preparse+0x3e/0x330
    [] asymmetric_key_preparse+0x6f/0x100
    [] key_create_or_update+0x260/0x5f0
    [] SyS_add_key+0x199/0x2a0
    [] entry_SYSCALL_64_fastpath+0x1e/0xad

    Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
    Signed-off-by: Andrey Ryabinin
    Cc:
    Signed-off-by: David Howells
    Signed-off-by: James Morris

    Andrey Ryabinin
     

22 Nov, 2016

2 commits

  • The aliasing check in map_and_copy is no longer necessary because
    the IPsec ESP code no longer provides an IV that points into the
    actual request data. As this check is now triggering BUG checks
    due to the vmalloced stack code, I'm removing it.

    Reported-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • Recently an init call was added to hash_recvmsg so as to reset
    the hash state in case a sendmsg call was never made.

    Unfortunately this ended up clobbering the result if the previous
    sendmsg was done with a MSG_MORE flag. This patch fixes it by
    excluding that case when we make the init call.

    Fixes: a8348bca2944 ("algif_hash - Fix NULL hash crash with shash")
    Reported-by: Patrick Steinhardt
    Signed-off-by: Herbert Xu

    Herbert Xu
     

18 Nov, 2016

1 commit

  • Recently algif_hash has been changed to allow null hashes. This
    triggers a bug when used with an shash algorithm whereby it will
    cause a crash during the digest operation.

    This patch fixes it by avoiding the digest operation and instead
    doing an init followed by a final which avoids the buggy code in
    shash.

    This patch also ensures that the result buffer is freed after an
    error so that it is not returned as a genuine hash result on the
    next recv call.

    The shash/ahash wrapper code will be fixed later to handle this
    case correctly.

    Fixes: 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")
    Signed-off-by: Herbert Xu
    Tested-by: Laura Abbott

    Herbert Xu
     

12 Oct, 2016

1 commit

  • A good practice is to prefix the names of functions by the name
    of the subsystem.

    The kthread worker API is a mix of classic kthreads and workqueues. Each
    worker has a dedicated kthread. It runs a generic function that process
    queued works. It is implemented as part of the kthread subsystem.

    This patch renames the existing kthread worker API to use
    the corresponding name from the workqueues API prefixed by
    kthread_:

    __init_kthread_worker() -> __kthread_init_worker()
    init_kthread_worker() -> kthread_init_worker()
    init_kthread_work() -> kthread_init_work()
    insert_kthread_work() -> kthread_insert_work()
    queue_kthread_work() -> kthread_queue_work()
    flush_kthread_work() -> kthread_flush_work()
    flush_kthread_worker() -> kthread_flush_worker()

    Note that the names of DEFINE_KTHREAD_WORK*() macros stay
    as they are. It is common that the "DEFINE_" prefix has
    precedence over the subsystem names.

    Note that INIT() macros and init() functions use different
    naming scheme. There is no good solution. There are several
    reasons for this solution:

    + "init" in the function names stands for the verb "initialize"
    aka "initialize worker". While "INIT" in the macro names
    stands for the noun "INITIALIZER" aka "worker initializer".

    + INIT() macros are used only in DEFINE() macros

    + init() functions are used close to the other kthread()
    functions. It looks much better if all the functions
    use the same scheme.

    + There will be also kthread_destroy_worker() that will
    be used close to kthread_cancel_work(). It is related
    to the init() function. Again it looks better if all
    functions use the same naming scheme.

    + there are several precedents for such init() function
    names, e.g. amd_iommu_init_device(), free_area_init_node(),
    jump_label_init_type(), regmap_init_mmio_clk(),

    + It is not an argument but it was inconsistent even before.

    [arnd@arndb.de: fix linux-next merge conflict]
    Link: http://lkml.kernel.org/r/20160908135724.1311726-1-arnd@arndb.de
    Link: http://lkml.kernel.org/r/1470754545-17632-3-git-send-email-pmladek@suse.com
    Suggested-by: Andrew Morton
    Signed-off-by: Petr Mladek
    Cc: Oleg Nesterov
    Cc: Tejun Heo
    Cc: Ingo Molnar
    Cc: Peter Zijlstra
    Cc: Steven Rostedt
    Cc: "Paul E. McKenney"
    Cc: Josh Triplett
    Cc: Thomas Gleixner
    Cc: Jiri Kosina
    Cc: Borislav Petkov
    Cc: Michal Hocko
    Cc: Vlastimil Babka
    Signed-off-by: Arnd Bergmann
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Petr Mladek
     

11 Oct, 2016

1 commit

  • Pull crypto updates from Herbert Xu:
    "Here is the crypto update for 4.9:

    API:
    - The crypto engine code now supports hashes.

    Algorithms:
    - Allow keys >= 2048 bits in FIPS mode for RSA.

    Drivers:
    - Memory overwrite fix for vmx ghash.
    - Add support for building ARM sha1-neon in Thumb2 mode.
    - Reenable ARM ghash-ce code by adding import/export.
    - Reenable img-hash by adding import/export.
    - Add support for multiple cores in omap-aes.
    - Add little-endian support for sha1-powerpc.
    - Add Cavium HWRNG driver for ThunderX SoC"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (137 commits)
    crypto: caam - treat SGT address pointer as u64
    crypto: ccp - Make syslog errors human-readable
    crypto: ccp - clean up data structure
    crypto: vmx - Ensure ghash-generic is enabled
    crypto: testmgr - add guard to dst buffer for ahash_export
    crypto: caam - Unmap region obtained by of_iomap
    crypto: sha1-powerpc - little-endian support
    crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
    crypto: vmx - Fix memory corruption caused by p8_ghash
    crypto: ghash-generic - move common definitions to a new header file
    crypto: caam - fix sg dump
    hwrng: omap - Only fail if pm_runtime_get_sync returns < 0
    crypto: omap-sham - shrink the internal buffer size
    crypto: omap-sham - add support for export/import
    crypto: omap-sham - convert driver logic to use sgs for data xmit
    crypto: omap-sham - change the DMA threshold value to a define
    crypto: omap-sham - add support functions for sg based data handling
    crypto: omap-sham - rename sgl to sgl_tmp for deprecation
    crypto: omap-sham - align algorithms on word offset
    crypto: omap-sham - add context export/import stubs
    ...

    Linus Torvalds
     

10 Oct, 2016

1 commit


07 Oct, 2016

1 commit

  • Pull dmaengine updates from Vinod Koul:
    "This is bit large pile of code which bring in some nice additions:

    - Error reporting: we have added a new mechanism for users of
    dmaenegine to register a callback_result which tells them the
    result of the dma transaction. Right now only one user (ntb) is
    using it.

    - As we discussed on KS mailing list and pointed out NO_IRQ has no
    place in kernel, this also remove NO_IRQ from dmaengine subsystem
    (both arm and ppc users)

    - Support for IOMMU slave transfers and its implementation for arm.

    - To get better build coverage, enable COMPILE_TEST for bunch of
    driver, and fix the warning and sparse complaints on these.

    - Apart from above, usual updates spread across drivers"

    * tag 'dmaengine-4.9-rc1' of git://git.infradead.org/users/vkoul/slave-dma: (169 commits)
    async_pq_val: fix DMA memory leak
    dmaengine: virt-dma: move function declarations
    dmaengine: omap-dma: Enable burst and data pack for SG
    DT: dmaengine: rcar-dmac: document R8A7743/5 support
    dmaengine: fsldma: Unmap region obtained by of_iomap
    dmaengine: jz4780: fix resource leaks on error exit return
    dma-debug: fix ia64 build, use PHYS_PFN
    dmaengine: coh901318: fix integer overflow when shifting more than 32 places
    dmaengine: edma: avoid uninitialized variable use
    dma-mapping: fix m32r build warning
    dma-mapping: fix ia64 build, use PHYS_PFN
    dmaengine: ti-dma-crossbar: enable COMPILE_TEST
    dmaengine: omap-dma: enable COMPILE_TEST
    dmaengine: edma: enable COMPILE_TEST
    dmaengine: ti-dma-crossbar: Fix of_device_id data parameter usage
    dmaengine: ti-dma-crossbar: Correct type for of_find_property() third parameter
    dmaengine/ARM: omap-dma: Fix the DMAengine compile test on non OMAP configs
    dmaengine: edma: Rename set_bits and remove unused clear_bits helper
    dmaengine: edma: Use correct type for of_find_property() third parameter
    dmaengine: edma: Fix of_device_id data parameter usage (legacy vs TPCC)
    ...

    Linus Torvalds
     

05 Oct, 2016

1 commit

  • Add missing dmaengine_unmap_put(), so we don't OOM during RAID6 sync.

    Fixes: 1786b943dad0 ("async_pq_val: convert to dmaengine_unmap_data")
    Signed-off-by: Justin Maggard
    Reviewed-by: Dan Williams
    Cc:
    Signed-off-by: Vinod Koul

    Justin Maggard
     

02 Oct, 2016

3 commits

  • Add a guard to 'state' buffer and warn if its consistency after
    call to crypto_ahash_export() changes, so that any write that
    goes beyond advertised statesize (and thus causing potential
    memory corruption [1]) is more visible.

    [1] https://marc.info/?l=linux-crypto-vger&m=147467656516085

    Signed-off-by: Jan Stancek
    Cc: Herbert Xu
    Cc: Marcelo Cerri
    Signed-off-by: Herbert Xu

    Jan Stancek
     
  • The cipher block size for GCM is 16 bytes, and thus the CTR transform
    used in crypto_gcm_setkey() will also expect a 16-byte IV. However,
    the code currently reserves only 8 bytes for the IV, causing
    an out-of-bounds access in the CTR transform. This patch fixes
    the issue by setting the size of the IV buffer to 16 bytes.

    Fixes: 84c911523020 ("[CRYPTO] gcm: Add support for async ciphers")
    Signed-off-by: Ondrej Mosnacek
    Signed-off-by: Herbert Xu

    Ondrej Mosnáček
     
  • Move common values and types used by ghash-generic to a new header file
    so drivers can directly use ghash-generic as a fallback implementation.

    Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
    Cc: stable@vger.kernel.org
    Signed-off-by: Marcelo Cerri
    Signed-off-by: Herbert Xu

    Marcelo Cerri
     

22 Sep, 2016

1 commit

  • As the software RSA implementation now produces fixed-length
    output, we need to eliminate leading zeros in the calling code
    instead.

    This patch does just that for pkcs1pad decryption while signature
    verification was fixed in an earlier patch.

    Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output")
    Reported-by: Mat Martineau
    Signed-off-by: Herbert Xu

    Herbert Xu
     

13 Sep, 2016

3 commits

  • Remove unneeded variables and assignments.

    Signed-off-by: Masahiro Yamada
    Signed-off-by: Herbert Xu

    Masahiro Yamada
     
  • When we need to allocate a temporary blkcipher_walk_next and it
    fails, the code is supposed to take the slow path of processing
    the data block by block. However, due to an unrelated change
    we instead end up dereferencing the NULL pointer.

    This patch fixes it by moving the unrelated bsize setting out
    of the way so that we enter the slow path as inteded.

    Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block")
    Cc: stable@vger.kernel.org
    Reported-by: xiakaixu
    Reported-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu
    Tested-by: Ard Biesheuvel

    Herbert Xu
     
  • The current implementation uses a global per-cpu array to store
    data which are used to derive the next IV. This is insecure as
    the attacker may change the stored data.

    This patch removes all traces of chaining and replaces it with
    multiplication of the salt and the sequence number.

    Fixes: a10f554fa7e0 ("crypto: echainiv - Add encrypted chain IV...")
    Cc: stable@vger.kernel.org
    Reported-by: Mathias Krause
    Signed-off-by: Herbert Xu

    Herbert Xu
     

07 Sep, 2016

4 commits


31 Aug, 2016

3 commits

  • In FIPS mode, additional restrictions may apply. If these restrictions
    are violated, the kernel will panic(). This patch allows test vectors
    for symmetric ciphers to be marked as to be skipped in FIPS mode.

    Together with the patch, the XTS test vectors where the AES key is
    identical to the tweak key is disabled in FIPS mode. This test vector
    violates the FIPS requirement that both keys must be different.

    Reported-by: Tapas Sarangi
    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     
  • This patch fixes an unused label warning triggered when the macro
    XOR_SELECT_TEMPLATE is not set.

    Fixes: 39457acda913 ("crypto: xor - skip speed test if the xor...")
    Reported-by: Stephen Rothwell
    Suggested-by: Stephen Rothwell
    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • The AEAD code path incorrectly uses the child tfm to track the
    cryptd refcnt, and then potentially frees the child tfm.

    Fixes: 81760ea6a95a ("crypto: cryptd - Add helpers to check...")
    Reported-by: Sowmini Varadhan
    Signed-off-by: Herbert Xu

    Herbert Xu
     

24 Aug, 2016

3 commits

  • With a public notification, NIST now allows the use of RSA keys with a
    modulus >= 2048 bits. The new rule allows any modulus size >= 2048 bits
    provided that either 2048 or 3072 bits are supported at least so that
    the entire RSA implementation can be CAVS tested.

    This patch fixes the inability to boot the kernel in FIPS mode, because
    certs/x509.genkey defines a 4096 bit RSA key per default. This key causes
    the RSA signature verification to fail in FIPS mode without the patch
    below.

    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     
  • Fix to return a negative error code from the error handling
    case instead of 0.

    Signed-off-by: Wei Yongjun
    Acked-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Wei Yongjun
     
  • If the architecture selected the xor function with XOR_SELECT_TEMPLATE
    the speed result of the do_xor_speed benchmark is of limited value.
    The speed measurement increases the bootup time a little, which can
    makes a difference for kernels used in container like virtual machines.

    Signed-off-by: Martin Schwidefsky
    Signed-off-by: Herbert Xu

    Martin Schwidefsky
     

16 Aug, 2016

2 commits

  • When calling the DRBG health test in FIPS mode, the Jitter RNG is not
    yet present in the kernel crypto API which will cause the instantiation
    to fail and thus the health test to fail.

    As the health tests cover the enforcement of various thresholds, invoke
    the functions that are supposed to enforce the thresholds directly.

    This patch also saves precious seed.

    Reported-by: Tapas Sarangi
    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     
  • The sentence 'Based on' is misspelled, respell it.

    Signed-off-by: LABBE Corentin
    Signed-off-by: Herbert Xu

    Corentin LABBE
     

09 Aug, 2016

1 commit

  • "if (!ret == template[i].fail)" is confusing to compilers (gcc5):

    crypto/testmgr.c: In function '__test_aead':
    crypto/testmgr.c:531:12: warning: logical not is only applied to the
    left hand side of comparison [-Wlogical-not-parentheses]
    if (!ret == template[i].fail) {
    ^

    Let there be 'if (template[i].fail == !ret) '.

    Signed-off-by: Yanjiang Jin
    Signed-off-by: Herbert Xu

    Yanjiang Jin