From: Greg Kroah-Hartman Date: Sun, 1 May 2022 17:18:00 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v5.4.192~56 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c14b939e7315acd0aeb2169d41d42db774f7446e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: hex2bin-fix-access-beyond-string-end.patch hex2bin-make-the-function-hex_to_bin-constant-time.patch pinctrl-samsung-fix-missing-gpiolib-on-arm64-exynos-config.patch --- diff --git a/queue-5.10/hex2bin-fix-access-beyond-string-end.patch b/queue-5.10/hex2bin-fix-access-beyond-string-end.patch new file mode 100644 index 00000000000..4aef56380bb --- /dev/null +++ b/queue-5.10/hex2bin-fix-access-beyond-string-end.patch @@ -0,0 +1,48 @@ +From e4d8a29997731b3bb14059024b24df9f784288d0 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 27 Apr 2022 11:26:40 -0400 +Subject: hex2bin: fix access beyond string end + +From: Mikulas Patocka + +commit e4d8a29997731b3bb14059024b24df9f784288d0 upstream. + +If we pass too short string to "hex2bin" (and the string size without +the terminating NUL character is even), "hex2bin" reads one byte after +the terminating NUL character. This patch fixes it. + +Note that hex_to_bin returns -1 on error and hex2bin return -EINVAL on +error - so we can't just return the variable "hi" or "lo" on error. +This inconsistency may be fixed in the next merge window, but for the +purpose of fixing this bug, we just preserve the existing behavior and +return -1 and -EINVAL. + +Signed-off-by: Mikulas Patocka +Reviewed-by: Andy Shevchenko +Fixes: b78049831ffe ("lib: add error checking to hex2bin") +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + lib/hexdump.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/lib/hexdump.c ++++ b/lib/hexdump.c +@@ -63,10 +63,13 @@ EXPORT_SYMBOL(hex_to_bin); + int hex2bin(u8 *dst, const char *src, size_t count) + { + while (count--) { +- int hi = hex_to_bin(*src++); +- int lo = hex_to_bin(*src++); ++ int hi, lo; + +- if ((hi < 0) || (lo < 0)) ++ hi = hex_to_bin(*src++); ++ if (unlikely(hi < 0)) ++ return -EINVAL; ++ lo = hex_to_bin(*src++); ++ if (unlikely(lo < 0)) + return -EINVAL; + + *dst++ = (hi << 4) | lo; diff --git a/queue-5.10/hex2bin-make-the-function-hex_to_bin-constant-time.patch b/queue-5.10/hex2bin-make-the-function-hex_to_bin-constant-time.patch new file mode 100644 index 00000000000..8eeb2c65f80 --- /dev/null +++ b/queue-5.10/hex2bin-make-the-function-hex_to_bin-constant-time.patch @@ -0,0 +1,91 @@ +From e5be15767e7e284351853cbaba80cde8620341fb Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 25 Apr 2022 08:07:48 -0400 +Subject: hex2bin: make the function hex_to_bin constant-time + +From: Mikulas Patocka + +commit e5be15767e7e284351853cbaba80cde8620341fb upstream. + +The function hex2bin is used to load cryptographic keys into device +mapper targets dm-crypt and dm-integrity. It should take constant time +independent on the processed data, so that concurrently running +unprivileged code can't infer any information about the keys via +microarchitectural convert channels. + +This patch changes the function hex_to_bin so that it contains no +branches and no memory accesses. + +Note that this shouldn't cause performance degradation because the size +of the new function is the same as the size of the old function (on +x86-64) - and the new function causes no branch misprediction penalties. + +I compile-tested this function with gcc on aarch64 alpha arm hppa hppa64 +i386 ia64 m68k mips32 mips64 powerpc powerpc64 riscv sh4 s390x sparc32 +sparc64 x86_64 and with clang on aarch64 arm hexagon i386 mips32 mips64 +powerpc powerpc64 s390x sparc32 sparc64 x86_64 to verify that there are +no branches in the generated code. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kernel.h | 2 +- + lib/hexdump.c | 32 +++++++++++++++++++++++++------- + 2 files changed, 26 insertions(+), 8 deletions(-) + +--- a/include/linux/kernel.h ++++ b/include/linux/kernel.h +@@ -635,7 +635,7 @@ static inline char *hex_byte_pack_upper( + return buf; + } + +-extern int hex_to_bin(char ch); ++extern int hex_to_bin(unsigned char ch); + extern int __must_check hex2bin(u8 *dst, const char *src, size_t count); + extern char *bin2hex(char *dst, const void *src, size_t count); + +--- a/lib/hexdump.c ++++ b/lib/hexdump.c +@@ -22,15 +22,33 @@ EXPORT_SYMBOL(hex_asc_upper); + * + * hex_to_bin() converts one hex digit to its actual value or -1 in case of bad + * input. ++ * ++ * This function is used to load cryptographic keys, so it is coded in such a ++ * way that there are no conditions or memory accesses that depend on data. ++ * ++ * Explanation of the logic: ++ * (ch - '9' - 1) is negative if ch <= '9' ++ * ('0' - 1 - ch) is negative if ch >= '0' ++ * we "and" these two values, so the result is negative if ch is in the range ++ * '0' ... '9' ++ * we are only interested in the sign, so we do a shift ">> 8"; note that right ++ * shift of a negative value is implementation-defined, so we cast the ++ * value to (unsigned) before the shift --- we have 0xffffff if ch is in ++ * the range '0' ... '9', 0 otherwise ++ * we "and" this value with (ch - '0' + 1) --- we have a value 1 ... 10 if ch is ++ * in the range '0' ... '9', 0 otherwise ++ * we add this value to -1 --- we have a value 0 ... 9 if ch is in the range '0' ++ * ... '9', -1 otherwise ++ * the next line is similar to the previous one, but we need to decode both ++ * uppercase and lowercase letters, so we use (ch & 0xdf), which converts ++ * lowercase to uppercase + */ +-int hex_to_bin(char ch) ++int hex_to_bin(unsigned char ch) + { +- if ((ch >= '0') && (ch <= '9')) +- return ch - '0'; +- ch = tolower(ch); +- if ((ch >= 'a') && (ch <= 'f')) +- return ch - 'a' + 10; +- return -1; ++ unsigned char cu = ch & 0xdf; ++ return -1 + ++ ((ch - '0' + 1) & (unsigned)((ch - '9' - 1) & ('0' - 1 - ch)) >> 8) + ++ ((cu - 'A' + 11) & (unsigned)((cu - 'F' - 1) & ('A' - 1 - cu)) >> 8); + } + EXPORT_SYMBOL(hex_to_bin); + diff --git a/queue-5.10/pinctrl-samsung-fix-missing-gpiolib-on-arm64-exynos-config.patch b/queue-5.10/pinctrl-samsung-fix-missing-gpiolib-on-arm64-exynos-config.patch new file mode 100644 index 00000000000..88a9319405b --- /dev/null +++ b/queue-5.10/pinctrl-samsung-fix-missing-gpiolib-on-arm64-exynos-config.patch @@ -0,0 +1,79 @@ +From ac875df4d854ab13d9c4af682a1837a1214fecec Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 20 Apr 2022 16:14:07 +0200 +Subject: pinctrl: samsung: fix missing GPIOLIB on ARM64 Exynos config + +From: Krzysztof Kozlowski + +commit ac875df4d854ab13d9c4af682a1837a1214fecec upstream. + +The Samsung pinctrl drivers depend on OF_GPIO, which is part of GPIOLIB. +ARMv7 Exynos platform selects GPIOLIB and Samsung pinctrl drivers. ARMv8 +Exynos selects only the latter leading to possible wrong configuration +on ARMv8 build: + + WARNING: unmet direct dependencies detected for PINCTRL_EXYNOS + Depends on [n]: PINCTRL [=y] && OF_GPIO [=n] && (ARCH_EXYNOS [=y] || ARCH_S5PV210 || COMPILE_TEST [=y]) + Selected by [y]: + - ARCH_EXYNOS [=y] + +Always select the GPIOLIB from the Samsung pinctrl drivers to fix the +issue. This requires removing of OF_GPIO dependency (to avoid recursive +dependency), so add dependency on OF for COMPILE_TEST cases. + +Reported-by: Necip Fazil Yildiran +Fixes: eed6b3eb20b9 ("arm64: Split out platform options to separate Kconfig") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20220420141407.470955-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-exynos/Kconfig | 1 - + drivers/pinctrl/samsung/Kconfig | 11 ++++------- + 2 files changed, 4 insertions(+), 8 deletions(-) + +--- a/arch/arm/mach-exynos/Kconfig ++++ b/arch/arm/mach-exynos/Kconfig +@@ -20,7 +20,6 @@ menuconfig ARCH_EXYNOS + select EXYNOS_PMU + select EXYNOS_SROM + select EXYNOS_PM_DOMAINS if PM_GENERIC_DOMAINS +- select GPIOLIB + select HAVE_ARM_ARCH_TIMER if ARCH_EXYNOS5 + select HAVE_ARM_SCU if SMP + select HAVE_S3C2410_I2C if I2C +--- a/drivers/pinctrl/samsung/Kconfig ++++ b/drivers/pinctrl/samsung/Kconfig +@@ -4,14 +4,13 @@ + # + config PINCTRL_SAMSUNG + bool +- depends on OF_GPIO ++ select GPIOLIB + select PINMUX + select PINCONF + + config PINCTRL_EXYNOS + bool "Pinctrl common driver part for Samsung Exynos SoCs" +- depends on OF_GPIO +- depends on ARCH_EXYNOS || ARCH_S5PV210 || COMPILE_TEST ++ depends on ARCH_EXYNOS || ARCH_S5PV210 || (COMPILE_TEST && OF) + select PINCTRL_SAMSUNG + select PINCTRL_EXYNOS_ARM if ARM && (ARCH_EXYNOS || ARCH_S5PV210) + select PINCTRL_EXYNOS_ARM64 if ARM64 && ARCH_EXYNOS +@@ -26,12 +25,10 @@ config PINCTRL_EXYNOS_ARM64 + + config PINCTRL_S3C24XX + bool "Samsung S3C24XX SoC pinctrl driver" +- depends on OF_GPIO +- depends on ARCH_S3C24XX || COMPILE_TEST ++ depends on ARCH_S3C24XX || (COMPILE_TEST && OF) + select PINCTRL_SAMSUNG + + config PINCTRL_S3C64XX + bool "Samsung S3C64XX SoC pinctrl driver" +- depends on OF_GPIO +- depends on ARCH_S3C64XX || COMPILE_TEST ++ depends on ARCH_S3C64XX || (COMPILE_TEST && OF) + select PINCTRL_SAMSUNG diff --git a/queue-5.10/series b/queue-5.10/series index 9bc0802b91a..6dc323a62ed 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -29,3 +29,6 @@ serial-imx-fix-overrun-interrupts-in-dma-mode.patch serial-8250-also-set-sticky-mcr-bits-in-console-restoration.patch serial-8250-correct-the-clock-for-endrun-ptp-1588-pcie-device.patch arch_topology-do-not-set-llc_sibling-if-llc_id-is-invalid.patch +pinctrl-samsung-fix-missing-gpiolib-on-arm64-exynos-config.patch +hex2bin-make-the-function-hex_to_bin-constant-time.patch +hex2bin-fix-access-beyond-string-end.patch