From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 18:06:00 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.137~67 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fa96befc3a1c2f56260fdd450ac50062f36ad4d5;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch --- diff --git a/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch b/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch new file mode 100644 index 00000000000..f35662f8532 --- /dev/null +++ b/queue-3.18/crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch @@ -0,0 +1,93 @@ +From 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 3 Jan 2019 20:16:13 -0800 +Subject: crypto: pcbc - remove bogus memcpy()s with src == dest + +From: Eric Biggers + +commit 251b7aea34ba3c4d4fdfa9447695642eb8b8b098 upstream. + +The memcpy()s in the PCBC implementation use walk->iv as both the source +and destination, which has undefined behavior. These memcpy()'s are +actually unneeded, because walk->iv is already used to hold the previous +plaintext block XOR'd with the previous ciphertext block. Thus, +walk->iv is already updated to its final value. + +So remove the broken and unnecessary memcpy()s. + +Fixes: 91652be5d1b9 ("[CRYPTO] pcbc: Add Propagated CBC template") +Cc: # v2.6.21+ +Cc: David Howells +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Maxim Zhukov +Signed-off-by: Greg Kroah-Hartman +--- + crypto/pcbc.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +--- a/crypto/pcbc.c ++++ b/crypto/pcbc.c +@@ -52,7 +52,7 @@ static int crypto_pcbc_encrypt_segment(s + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + + do { + crypto_xor(iv, src, bsize); +@@ -76,7 +76,7 @@ static int crypto_pcbc_encrypt_inplace(s + int bsize = crypto_cipher_blocksize(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + u8 tmpbuf[bsize]; + + do { +@@ -89,8 +89,6 @@ static int crypto_pcbc_encrypt_inplace(s + src += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + +@@ -130,7 +128,7 @@ static int crypto_pcbc_decrypt_segment(s + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; + u8 *dst = walk->dst.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + + do { + fn(crypto_cipher_tfm(tfm), dst, src); +@@ -142,8 +140,6 @@ static int crypto_pcbc_decrypt_segment(s + dst += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + +@@ -156,7 +152,7 @@ static int crypto_pcbc_decrypt_inplace(s + int bsize = crypto_cipher_blocksize(tfm); + unsigned int nbytes = walk->nbytes; + u8 *src = walk->src.virt.addr; +- u8 *iv = walk->iv; ++ u8 * const iv = walk->iv; + u8 tmpbuf[bsize]; + + do { +@@ -169,8 +165,6 @@ static int crypto_pcbc_decrypt_inplace(s + src += bsize; + } while ((nbytes -= bsize) >= bsize); + +- memcpy(walk->iv, iv, bsize); +- + return nbytes; + } + diff --git a/queue-3.18/series b/queue-3.18/series index 3337330b77c..2362d31e476 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -115,3 +115,4 @@ scsi-virtio_scsi-don-t-send-sc-payload-with-tmfs.patch scsi-target-iscsi-avoid-iscsit_release_commands_from_conn-deadlock.patch m68k-add-ffreestanding-to-cflags.patch btrfs-fix-corruption-reading-shared-and-compressed-extents-after-hole-punching.patch +crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch