From: Greg Kroah-Hartman Date: Sat, 9 Apr 2016 23:54:05 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.5.1~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3439139957e0a149add604caf5c90bbb166dd18;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-ccp-add-hash-state-import-and-export-support.patch crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch crypto-ccp-limit-the-amount-of-information-exported.patch crypto-ccp-memset-request-context-to-zero-during-import.patch --- diff --git a/queue-3.14/crypto-ccp-add-hash-state-import-and-export-support.patch b/queue-3.14/crypto-ccp-add-hash-state-import-and-export-support.patch new file mode 100644 index 00000000000..a35bf864be1 --- /dev/null +++ b/queue-3.14/crypto-ccp-add-hash-state-import-and-export-support.patch @@ -0,0 +1,114 @@ +From 952bce9792e6bf36fda09c2e5718abb5d9327369 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 12 Jan 2016 11:17:38 -0600 +Subject: crypto: ccp - Add hash state import and export support + +From: Tom Lendacky + +commit 952bce9792e6bf36fda09c2e5718abb5d9327369 upstream. + +Commit 8996eafdcbad ("crypto: ahash - ensure statesize is non-zero") +added a check to prevent ahash algorithms from successfully registering +if the import and export functions were not implemented. This prevents +an oops in the hash_accept function of algif_hash. This commit causes +the ccp-crypto module SHA support and AES CMAC support from successfully +registering and causing the ccp-crypto module load to fail because the +ahash import and export functions are not implemented. + +Update the CCP Crypto API support to provide import and export support +for ahash algorithms. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 23 +++++++++++++++++++++++ + drivers/crypto/ccp/ccp-crypto-sha.c | 23 +++++++++++++++++++++++ + 2 files changed, 46 insertions(+) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -201,6 +201,26 @@ static int ccp_aes_cmac_digest(struct ah + return ccp_aes_cmac_finup(req); + } + ++static int ccp_aes_cmac_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_aes_cmac_req_ctx *state = out; ++ ++ *state = *rctx; ++ ++ return 0; ++} ++ ++static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); ++ const struct ccp_aes_cmac_req_ctx *state = in; ++ ++ *rctx = *state; ++ ++ return 0; ++} ++ + static int ccp_aes_cmac_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -332,10 +352,13 @@ int ccp_register_aes_cmac_algs(struct li + alg->final = ccp_aes_cmac_final; + alg->finup = ccp_aes_cmac_finup; + alg->digest = ccp_aes_cmac_digest; ++ alg->export = ccp_aes_cmac_export; ++ alg->import = ccp_aes_cmac_import; + alg->setkey = ccp_aes_cmac_setkey; + + halg = &alg->halg; + halg->digestsize = AES_BLOCK_SIZE; ++ halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)"); +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -257,6 +257,26 @@ static int ccp_sha_digest(struct ahash_r + return ccp_sha_finup(req); + } + ++static int ccp_sha_export(struct ahash_request *req, void *out) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ struct ccp_sha_req_ctx *state = out; ++ ++ *state = *rctx; ++ ++ return 0; ++} ++ ++static int ccp_sha_import(struct ahash_request *req, const void *in) ++{ ++ struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); ++ const struct ccp_sha_req_ctx *state = in; ++ ++ *rctx = *state; ++ ++ return 0; ++} ++ + static int ccp_sha_setkey(struct crypto_ahash *tfm, const u8 *key, + unsigned int key_len) + { +@@ -469,9 +489,12 @@ static int ccp_register_sha_alg(struct l + alg->final = ccp_sha_final; + alg->finup = ccp_sha_finup; + alg->digest = ccp_sha_digest; ++ alg->export = ccp_sha_export; ++ alg->import = ccp_sha_import; + + halg = &alg->halg; + halg->digestsize = def->digest_size; ++ halg->statesize = sizeof(struct ccp_sha_req_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); diff --git a/queue-3.14/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch b/queue-3.14/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch new file mode 100644 index 00000000000..9b44091be45 --- /dev/null +++ b/queue-3.14/crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch @@ -0,0 +1,121 @@ +From b31dde2a5cb1bf764282abf934266b7193c2bc7c Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Tue, 2 Feb 2016 11:38:21 -0600 +Subject: crypto: ccp - Don't assume export/import areas are aligned + +From: Tom Lendacky + +commit b31dde2a5cb1bf764282abf934266b7193c2bc7c upstream. + +Use a local variable for the exported and imported state so that +alignment is not an issue. On export, set a local variable from the +request context and then memcpy the contents of the local variable to +the export memory area. On import, memcpy the import memory area into +a local variable and then use the local variable to set the request +context. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 26 ++++++++++++++--------- + drivers/crypto/ccp/ccp-crypto-sha.c | 34 ++++++++++++++++++------------- + 2 files changed, 36 insertions(+), 24 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -204,12 +204,15 @@ static int ccp_aes_cmac_digest(struct ah + static int ccp_aes_cmac_export(struct ahash_request *req, void *out) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_aes_cmac_exp_ctx *state = out; ++ struct ccp_aes_cmac_exp_ctx state; + +- state->null_msg = rctx->null_msg; +- memcpy(state->iv, rctx->iv, sizeof(state->iv)); +- state->buf_count = rctx->buf_count; +- memcpy(state->buf, rctx->buf, sizeof(state->buf)); ++ state.null_msg = rctx->null_msg; ++ memcpy(state.iv, rctx->iv, sizeof(state.iv)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); + + return 0; + } +@@ -217,12 +220,15 @@ static int ccp_aes_cmac_export(struct ah + static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_aes_cmac_exp_ctx *state = in; ++ struct ccp_aes_cmac_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); + +- rctx->null_msg = state->null_msg; +- memcpy(rctx->iv, state->iv, sizeof(rctx->iv)); +- rctx->buf_count = state->buf_count; +- memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); ++ rctx->null_msg = state.null_msg; ++ memcpy(rctx->iv, state.iv, sizeof(rctx->iv)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); + + return 0; + } +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -260,14 +260,17 @@ static int ccp_sha_digest(struct ahash_r + static int ccp_sha_export(struct ahash_request *req, void *out) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_sha_exp_ctx *state = out; ++ struct ccp_sha_exp_ctx state; + +- state->type = rctx->type; +- state->msg_bits = rctx->msg_bits; +- state->first = rctx->first; +- memcpy(state->ctx, rctx->ctx, sizeof(state->ctx)); +- state->buf_count = rctx->buf_count; +- memcpy(state->buf, rctx->buf, sizeof(state->buf)); ++ state.type = rctx->type; ++ state.msg_bits = rctx->msg_bits; ++ state.first = rctx->first; ++ memcpy(state.ctx, rctx->ctx, sizeof(state.ctx)); ++ state.buf_count = rctx->buf_count; ++ memcpy(state.buf, rctx->buf, sizeof(state.buf)); ++ ++ /* 'out' may not be aligned so memcpy from local variable */ ++ memcpy(out, &state, sizeof(state)); + + return 0; + } +@@ -275,14 +278,17 @@ static int ccp_sha_export(struct ahash_r + static int ccp_sha_import(struct ahash_request *req, const void *in) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_sha_exp_ctx *state = in; ++ struct ccp_sha_exp_ctx state; ++ ++ /* 'in' may not be aligned so memcpy to local variable */ ++ memcpy(&state, in, sizeof(state)); + +- rctx->type = state->type; +- rctx->msg_bits = state->msg_bits; +- rctx->first = state->first; +- memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx)); +- rctx->buf_count = state->buf_count; +- memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); ++ rctx->type = state.type; ++ rctx->msg_bits = state.msg_bits; ++ rctx->first = state.first; ++ memcpy(rctx->ctx, state.ctx, sizeof(rctx->ctx)); ++ rctx->buf_count = state.buf_count; ++ memcpy(rctx->buf, state.buf, sizeof(rctx->buf)); + + return 0; + } diff --git a/queue-3.14/crypto-ccp-limit-the-amount-of-information-exported.patch b/queue-3.14/crypto-ccp-limit-the-amount-of-information-exported.patch new file mode 100644 index 00000000000..78a14d2350d --- /dev/null +++ b/queue-3.14/crypto-ccp-limit-the-amount-of-information-exported.patch @@ -0,0 +1,147 @@ +From d1662165ae612ec8b5f94a6b07e65ea58b6dce34 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 29 Jan 2016 12:45:14 -0600 +Subject: crypto: ccp - Limit the amount of information exported + +From: Tom Lendacky + +commit d1662165ae612ec8b5f94a6b07e65ea58b6dce34 upstream. + +Since the exported information can be exposed to user-space, instead of +exporting the entire request context only export the minimum information +needed. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 16 +++++++++++----- + drivers/crypto/ccp/ccp-crypto-sha.c | 20 +++++++++++++++----- + drivers/crypto/ccp/ccp-crypto.h | 22 ++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 10 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -204,9 +204,12 @@ static int ccp_aes_cmac_digest(struct ah + static int ccp_aes_cmac_export(struct ahash_request *req, void *out) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_aes_cmac_req_ctx *state = out; ++ struct ccp_aes_cmac_exp_ctx *state = out; + +- *state = *rctx; ++ state->null_msg = rctx->null_msg; ++ memcpy(state->iv, rctx->iv, sizeof(state->iv)); ++ state->buf_count = rctx->buf_count; ++ memcpy(state->buf, rctx->buf, sizeof(state->buf)); + + return 0; + } +@@ -214,9 +217,12 @@ static int ccp_aes_cmac_export(struct ah + static int ccp_aes_cmac_import(struct ahash_request *req, const void *in) + { + struct ccp_aes_cmac_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_aes_cmac_req_ctx *state = in; ++ const struct ccp_aes_cmac_exp_ctx *state = in; + +- *rctx = *state; ++ rctx->null_msg = state->null_msg; ++ memcpy(rctx->iv, state->iv, sizeof(rctx->iv)); ++ rctx->buf_count = state->buf_count; ++ memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); + + return 0; + } +@@ -358,7 +364,7 @@ int ccp_register_aes_cmac_algs(struct li + + halg = &alg->halg; + halg->digestsize = AES_BLOCK_SIZE; +- halg->statesize = sizeof(struct ccp_aes_cmac_req_ctx); ++ halg->statesize = sizeof(struct ccp_aes_cmac_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "cmac(aes)"); +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -260,9 +260,14 @@ static int ccp_sha_digest(struct ahash_r + static int ccp_sha_export(struct ahash_request *req, void *out) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- struct ccp_sha_req_ctx *state = out; ++ struct ccp_sha_exp_ctx *state = out; + +- *state = *rctx; ++ state->type = rctx->type; ++ state->msg_bits = rctx->msg_bits; ++ state->first = rctx->first; ++ memcpy(state->ctx, rctx->ctx, sizeof(state->ctx)); ++ state->buf_count = rctx->buf_count; ++ memcpy(state->buf, rctx->buf, sizeof(state->buf)); + + return 0; + } +@@ -270,9 +275,14 @@ static int ccp_sha_export(struct ahash_r + static int ccp_sha_import(struct ahash_request *req, const void *in) + { + struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req); +- const struct ccp_sha_req_ctx *state = in; ++ const struct ccp_sha_exp_ctx *state = in; + +- *rctx = *state; ++ rctx->type = state->type; ++ rctx->msg_bits = state->msg_bits; ++ rctx->first = state->first; ++ memcpy(rctx->ctx, state->ctx, sizeof(rctx->ctx)); ++ rctx->buf_count = state->buf_count; ++ memcpy(rctx->buf, state->buf, sizeof(rctx->buf)); + + return 0; + } +@@ -494,7 +504,7 @@ static int ccp_register_sha_alg(struct l + + halg = &alg->halg; + halg->digestsize = def->digest_size; +- halg->statesize = sizeof(struct ccp_sha_req_ctx); ++ halg->statesize = sizeof(struct ccp_sha_exp_ctx); + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", def->name); +--- a/drivers/crypto/ccp/ccp-crypto.h ++++ b/drivers/crypto/ccp/ccp-crypto.h +@@ -132,6 +132,15 @@ struct ccp_aes_cmac_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_aes_cmac_exp_ctx { ++ unsigned int null_msg; ++ ++ u8 iv[AES_BLOCK_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[AES_BLOCK_SIZE]; ++}; ++ + /***** SHA related defines *****/ + #define MAX_SHA_CONTEXT_SIZE SHA256_DIGEST_SIZE + #define MAX_SHA_BLOCK_SIZE SHA256_BLOCK_SIZE +@@ -174,6 +183,19 @@ struct ccp_sha_req_ctx { + struct ccp_cmd cmd; + }; + ++struct ccp_sha_exp_ctx { ++ enum ccp_sha_type type; ++ ++ u64 msg_bits; ++ ++ unsigned int first; ++ ++ u8 ctx[MAX_SHA_CONTEXT_SIZE]; ++ ++ unsigned int buf_count; ++ u8 buf[MAX_SHA_BLOCK_SIZE]; ++}; ++ + /***** Common Context Structure *****/ + struct ccp_ctx { + int (*complete)(struct crypto_async_request *req, int ret); diff --git a/queue-3.14/crypto-ccp-memset-request-context-to-zero-during-import.patch b/queue-3.14/crypto-ccp-memset-request-context-to-zero-during-import.patch new file mode 100644 index 00000000000..6e0942f217c --- /dev/null +++ b/queue-3.14/crypto-ccp-memset-request-context-to-zero-during-import.patch @@ -0,0 +1,43 @@ +From ce0ae266feaf35930394bd770c69778e4ef03ba9 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Thu, 25 Feb 2016 16:48:13 -0600 +Subject: crypto: ccp - memset request context to zero during import + +From: Tom Lendacky + +commit ce0ae266feaf35930394bd770c69778e4ef03ba9 upstream. + +Since a crypto_ahash_import() can be called against a request context +that has not had a crypto_ahash_init() performed, the request context +needs to be cleared to insure there is no random data present. If not, +the random data can result in a kernel oops during crypto_ahash_update(). + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-cmac.c | 1 + + drivers/crypto/ccp/ccp-crypto-sha.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-cmac.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-cmac.c +@@ -225,6 +225,7 @@ static int ccp_aes_cmac_import(struct ah + /* 'in' may not be aligned so memcpy to local variable */ + memcpy(&state, in, sizeof(state)); + ++ memset(rctx, 0, sizeof(*rctx)); + rctx->null_msg = state.null_msg; + memcpy(rctx->iv, state.iv, sizeof(rctx->iv)); + rctx->buf_count = state.buf_count; +--- a/drivers/crypto/ccp/ccp-crypto-sha.c ++++ b/drivers/crypto/ccp/ccp-crypto-sha.c +@@ -283,6 +283,7 @@ static int ccp_sha_import(struct ahash_r + /* 'in' may not be aligned so memcpy to local variable */ + memcpy(&state, in, sizeof(state)); + ++ memset(rctx, 0, sizeof(*rctx)); + rctx->type = state.type; + rctx->msg_bits = state.msg_bits; + rctx->first = state.first; diff --git a/queue-3.14/series b/queue-3.14/series index 65fed41d6dd..653955f4ae4 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -31,3 +31,7 @@ alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-cal bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch +crypto-ccp-add-hash-state-import-and-export-support.patch +crypto-ccp-limit-the-amount-of-information-exported.patch +crypto-ccp-don-t-assume-export-import-areas-are-aligned.patch +crypto-ccp-memset-request-context-to-zero-during-import.patch