From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 23 Jul 2019 08:59:48 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.2.3~63
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d1fdf93a8d6512024fd1a58bebcd9d810276671d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch
	crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch
	crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch
---

diff --git a/queue-4.4/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch b/queue-4.4/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch
new file mode 100644
index 00000000000..32f17201524
--- /dev/null
+++ b/queue-4.4/crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch
@@ -0,0 +1,41 @@
+From 1d4aaf16defa86d2665ae7db0259d6cb07e2091f Mon Sep 17 00:00:00 2001
+From: Elena Petrova <lenaptr@google.com>
+Date: Tue, 28 May 2019 13:41:52 +0100
+Subject: crypto: arm64/sha1-ce - correct digest for empty data in finup
+
+From: Elena Petrova <lenaptr@google.com>
+
+commit 1d4aaf16defa86d2665ae7db0259d6cb07e2091f upstream.
+
+The sha1-ce finup implementation for ARM64 produces wrong digest
+for empty input (len=0). Expected: da39a3ee..., result: 67452301...
+(initial value of SHA internal state). The error is in sha1_ce_finup:
+for empty data `finalize` will be 1, so the code is relying on
+sha1_ce_transform to make the final round. However, in
+sha1_base_do_update, the block function will not be called when
+len == 0.
+
+Fix it by setting finalize to 0 if data is empty.
+
+Fixes: 07eb54d306f4 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Elena Petrova <lenaptr@google.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/crypto/sha1-ce-glue.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/crypto/sha1-ce-glue.c
++++ b/arch/arm64/crypto/sha1-ce-glue.c
+@@ -50,7 +50,7 @@ static int sha1_ce_finup(struct shash_de
+ 			 unsigned int len, u8 *out)
+ {
+ 	struct sha1_ce_state *sctx = shash_desc_ctx(desc);
+-	bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE);
++	bool finalize = !sctx->sst.count && !(len % SHA1_BLOCK_SIZE) && len;
+ 
+ 	/*
+ 	 * Allow the asm code to perform the finalization if there is no
diff --git a/queue-4.4/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch b/queue-4.4/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch
new file mode 100644
index 00000000000..4abb44512cf
--- /dev/null
+++ b/queue-4.4/crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch
@@ -0,0 +1,41 @@
+From 6bd934de1e393466b319d29c4427598fda096c57 Mon Sep 17 00:00:00 2001
+From: Elena Petrova <lenaptr@google.com>
+Date: Tue, 28 May 2019 15:35:06 +0100
+Subject: crypto: arm64/sha2-ce - correct digest for empty data in finup
+
+From: Elena Petrova <lenaptr@google.com>
+
+commit 6bd934de1e393466b319d29c4427598fda096c57 upstream.
+
+The sha256-ce finup implementation for ARM64 produces wrong digest
+for empty input (len=0). Expected: the actual digest, result: initial
+value of SHA internal state. The error is in sha256_ce_finup:
+for empty data `finalize` will be 1, so the code is relying on
+sha2_ce_transform to make the final round. However, in
+sha256_base_do_update, the block function will not be called when
+len == 0.
+
+Fix it by setting finalize to 0 if data is empty.
+
+Fixes: 03802f6a80b3a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer")
+Cc: stable@vger.kernel.org
+Signed-off-by: Elena Petrova <lenaptr@google.com>
+Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/crypto/sha2-ce-glue.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm64/crypto/sha2-ce-glue.c
++++ b/arch/arm64/crypto/sha2-ce-glue.c
+@@ -52,7 +52,7 @@ static int sha256_ce_finup(struct shash_
+ 			   unsigned int len, u8 *out)
+ {
+ 	struct sha256_ce_state *sctx = shash_desc_ctx(desc);
+-	bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE);
++	bool finalize = !sctx->sst.count && !(len % SHA256_BLOCK_SIZE) && len;
+ 
+ 	/*
+ 	 * Allow the asm code to perform the finalization if there is no
diff --git a/queue-4.4/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch b/queue-4.4/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch
new file mode 100644
index 00000000000..0305b7f393d
--- /dev/null
+++ b/queue-4.4/crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch
@@ -0,0 +1,57 @@
+From 5c6bc4dfa515738149998bb0db2481a4fdead979 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 30 May 2019 10:50:39 -0700
+Subject: crypto: ghash - fix unaligned memory access in ghash_setkey()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 5c6bc4dfa515738149998bb0db2481a4fdead979 upstream.
+
+Changing ghash_mod_init() to be subsys_initcall made it start running
+before the alignment fault handler has been installed on ARM.  In kernel
+builds where the keys in the ghash test vectors happened to be
+misaligned in the kernel image, this exposed the longstanding bug that
+ghash_setkey() is incorrectly casting the key buffer (which can have any
+alignment) to be128 for passing to gf128mul_init_4k_lle().
+
+Fix this by memcpy()ing the key to a temporary buffer.
+
+Don't fix it by setting an alignmask on the algorithm instead because
+that would unnecessarily force alignment of the data too.
+
+Fixes: 2cdc6899a88e ("crypto: ghash - Add GHASH digest algorithm for GCM")
+Reported-by: Peter Robinson <pbrobinson@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Tested-by: Peter Robinson <pbrobinson@gmail.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/ghash-generic.c |    8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/crypto/ghash-generic.c
++++ b/crypto/ghash-generic.c
+@@ -34,6 +34,7 @@ static int ghash_setkey(struct crypto_sh
+ 			const u8 *key, unsigned int keylen)
+ {
+ 	struct ghash_ctx *ctx = crypto_shash_ctx(tfm);
++	be128 k;
+ 
+ 	if (keylen != GHASH_BLOCK_SIZE) {
+ 		crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
+@@ -42,7 +43,12 @@ static int ghash_setkey(struct crypto_sh
+ 
+ 	if (ctx->gf128)
+ 		gf128mul_free_4k(ctx->gf128);
+-	ctx->gf128 = gf128mul_init_4k_lle((be128 *)key);
++
++	BUILD_BUG_ON(sizeof(k) != GHASH_BLOCK_SIZE);
++	memcpy(&k, key, GHASH_BLOCK_SIZE); /* avoid violating alignment rules */
++	ctx->gf128 = gf128mul_init_4k_lle(&k);
++	memzero_explicit(&k, GHASH_BLOCK_SIZE);
++
+ 	if (!ctx->gf128)
+ 		return -ENOMEM;
+ 
diff --git a/queue-4.4/series b/queue-4.4/series
index 91393b97fac..b26e8268f59 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -57,3 +57,6 @@ floppy-fix-div-by-zero-in-setup_format_params.patch
 floppy-fix-out-of-bounds-read-in-next_valid_format.patch
 floppy-fix-invalid-pointer-dereference-in-drive_name.patch
 floppy-fix-out-of-bounds-read-in-copy_buffer.patch
+crypto-ghash-fix-unaligned-memory-access-in-ghash_setkey.patch
+crypto-arm64-sha1-ce-correct-digest-for-empty-data-in-finup.patch
+crypto-arm64-sha2-ce-correct-digest-for-empty-data-in-finup.patch