From: Greg Kroah-Hartman Date: Tue, 10 Mar 2020 12:42:43 +0000 (+0100) Subject: drop queue-4.14/crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async... X-Git-Tag: v4.4.216~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=22b262226b2613db0d4be029cf06b706ff5c2e2d;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-4.14/crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async.patch --- diff --git a/queue-4.14/crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async.patch b/queue-4.14/crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async.patch deleted file mode 100644 index 2a03a80220a..00000000000 --- a/queue-4.14/crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async.patch +++ /dev/null @@ -1,63 +0,0 @@ -From yangerkun@huawei.com Tue Mar 10 13:13:31 2020 -From: yangerkun -Date: Thu, 5 Mar 2020 16:57:55 +0800 -Subject: crypto: algif_skcipher - use ZERO_OR_NULL_PTR in skcipher_recvmsg_async -To: , -Cc: , , -Message-ID: <20200305085755.22730-1-yangerkun@huawei.com> - -From: yangerkun - -Nowdays, we trigger a oops: -... -kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] SMP KASAN -... -Call Trace: - [] skcipher_recvmsg_async+0x3f1/0x1400 x86/../crypto/algif_skcipher.c:543 - [] skcipher_recvmsg+0x93/0x7f0 x86/../crypto/algif_skcipher.c:723 - [] sock_recvmsg_nosec x86/../net/socket.c:702 [inline] - [] sock_recvmsg x86/../net/socket.c:710 [inline] - [] sock_recvmsg+0x94/0xc0 x86/../net/socket.c:705 - [] sock_read_iter+0x27b/0x3a0 x86/../net/socket.c:787 - [] aio_run_iocb+0x21b/0x7a0 x86/../fs/aio.c:1520 - [] io_submit_one x86/../fs/aio.c:1630 [inline] - [] do_io_submit+0x6b9/0x10b0 x86/../fs/aio.c:1688 - [] SYSC_io_submit x86/../fs/aio.c:1713 [inline] - [] SyS_io_submit+0x2d/0x40 x86/../fs/aio.c:1710 - [] tracesys_phase2+0x90/0x95 - -In skcipher_recvmsg_async, we use '!sreq->tsg' to determine does we -calloc fail. However, kcalloc may return ZERO_SIZE_PTR, and with this, -the latter sg_init_table will trigger the bug. Fix it be use ZERO_OF_NULL_PTR. - -This function was introduced with ' commit a596999b7ddf ("crypto: -algif - change algif_skcipher to be asynchronous")', and has been removed -with 'commit e870456d8e7c ("crypto: algif_skcipher - overhaul memory -management")'. - -Reported-by: Hulk Robot -Signed-off-by: yangerkun -Signed-off-by: Greg Kroah-Hartman ---- - crypto/algif_skcipher.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -v1->v2: -update the commit message - -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index d12782dc9683..9bd4691cc5c5 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -538,7 +538,7 @@ static int skcipher_recvmsg_async(struct socket *sock, struct msghdr *msg, - lock_sock(sk); - tx_nents = skcipher_all_sg_nents(ctx); - sreq->tsg = kcalloc(tx_nents, sizeof(*sg), GFP_KERNEL); -- if (unlikely(!sreq->tsg)) -+ if (unlikely(ZERO_OR_NULL_PTR(sreq->tsg))) - goto unlock; - sg_init_table(sreq->tsg, tx_nents); - memcpy(iv, ctx->iv, ivsize); --- -2.17.2 - diff --git a/queue-4.14/series b/queue-4.14/series index abd69ac04ea..600eae3f96b 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -124,4 +124,3 @@ dmaengine-coh901318-fix-a-double-lock-bug-in-dma_tc_handle.patch powerpc-fix-hardware-pmu-exception-bug-on-powervm-compatibility-mode-systems.patch dm-integrity-fix-a-deadlock-due-to-offloading-to-an-incorrect-workqueue.patch xhci-handle-port-status-events-for-removed-usb3-hcd.patch -crypto-algif_skcipher-use-zero_or_null_ptr-in-skcipher_recvmsg_async.patch