3.18-stable patches

added patches:
	crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch

diff --git a/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch b/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch
new file mode 100644 (file)
index 0000000..f35662f
--- /dev/null
+++ b/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch
@@ -0,0 +1,93 @@
+From 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 3 Jan 2019 20:16:13 -0800
+Subject: crypto: pcbc - remove bogus memcpy()s with src == dest
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream.
+
+The memcpy()s in the PCBC implementation use walk->iv as both the source
+and destination, which has undefined behavior.  These memcpy()'s are
+actually unneeded, because walk->iv is already used to hold the previous
+plaintext block XOR'd with the previous ciphertext block.  Thus,
+walk->iv is already updated to its final value.
+
+So remove the broken and unnecessary memcpy()s.
+
+Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template")
+Cc: <stable@vger.kernel.org> # v2.6.21+
+Cc: David Howells <dhowells@redhat.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/pcbc.c |   14 ++++----------
+ 1 file changed, 4 insertions(+), 10 deletions(-)
+
+--- a/crypto/pcbc.c
++++ b/crypto/pcbc.c
+@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s
+       unsigned int nbytes = walk->nbytes;
+       u8 *src = walk->src.virt.addr;
+       u8 *dst = walk->dst.virt.addr;
+-      u8 *iv = walk->iv;
++      u8 * const iv = walk->iv;
+ 
+       do {
+               crypto_xor(iv, src, bsize);
+@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s
+       int bsize = crypto_cipher_blocksize(tfm);
+       unsigned int nbytes = walk->nbytes;
+       u8 *src = walk->src.virt.addr;
+-      u8 *iv = walk->iv;
++      u8 * const iv = walk->iv;
+       u8 tmpbuf[bsize];
+ 
+       do {
+@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s
+               src += bsize;
+       } while ((nbytes -= bsize) >= bsize);
+ 
+-      memcpy(walk->iv, iv, bsize);
+-
+       return nbytes;
+ }
+ 
+@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s
+       unsigned int nbytes = walk->nbytes;
+       u8 *src = walk->src.virt.addr;
+       u8 *dst = walk->dst.virt.addr;
+-      u8 *iv = walk->iv;
++      u8 * const iv = walk->iv;
+ 
+       do {
+               fn(crypto_cipher_tfm(tfm), dst, src);
+@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s
+               dst += bsize;
+       } while ((nbytes -= bsize) >= bsize);
+ 
+-      memcpy(walk->iv, iv, bsize);
+-
+       return nbytes;
+ }
+ 
+@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s
+       int bsize = crypto_cipher_blocksize(tfm);
+       unsigned int nbytes = walk->nbytes;
+       u8 *src = walk->src.virt.addr;
+-      u8 *iv = walk->iv;
++      u8 * const iv = walk->iv;
+       u8 tmpbuf[bsize];
+ 
+       do {
+@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s
+               src += bsize;
+       } while ((nbytes -= bsize) >= bsize);
+ 
+-      memcpy(walk->iv, iv, bsize);
+-
+       return nbytes;
+ }
+ 

diff --git a/queue-3.18/series b/queue-3.18/series
index 3337330b77ca68648cf5a1dc7602ac6de7e66625..2362d31e476e7b0c19e2519866543711ebc9dda9 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -115,3 +115,4 @@ scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch
 scsi-target-iscsi-avoid-iscsit_release_commands_from_conn-deadlock.patch
 m68k-add-ffreestanding-to-cflags.patch
 btrfs-fix-corruption-reading-shared-and-compressed-extents-after-hole-punching.patch
+crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch