6.6-stable patches

added patches:
	crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch

diff --git a/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch b/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch
new file mode 100644 (file)
index 0000000..71f981f
--- /dev/null
+++ b/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch
@@ -0,0 +1,64 @@
+From b16510a530d1e6ab9683f04f8fb34f2e0f538275 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sun, 2 Feb 2025 20:00:52 +0100
+Subject: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP()
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit b16510a530d1e6ab9683f04f8fb34f2e0f538275 upstream.
+
+Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa
+implementation's ->key_size() callback returns an unusually large value.
+Herbert instead suggests (for a division by 8):
+
+  X / 8 + !!(X & 7)
+
+Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and
+use it in lieu of DIV_ROUND_UP() for ->key_size() return values.
+
+Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes"
+parameter is a ->key_size() return value in some instances, or a
+user-specified ASN.1 length in the case of ecdsa_get_signature_rs().
+
+Link: https://lore.kernel.org/r/Z3iElsILmoSu6FuC@gondor.apana.org.au/
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ crypto/ecc.c         |    2 +-
+ include/linux/math.h |   12 ++++++++++++
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/crypto/ecc.c
++++ b/crypto/ecc.c
+@@ -69,7 +69,7 @@ EXPORT_SYMBOL(ecc_get_curve);
+ void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes,
+                          u64 *out, unsigned int ndigits)
+ {
+-      int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64));
++      int diff = ndigits - DIV_ROUND_UP_POW2(nbytes, sizeof(u64));
+       unsigned int o = nbytes & 7;
+       __be64 msd = 0;
+ 
+--- a/include/linux/math.h
++++ b/include/linux/math.h
+@@ -34,6 +34,18 @@
+  */
+ #define round_down(x, y) ((x) & ~__round_mask(x, y))
+ 
++/**
++ * DIV_ROUND_UP_POW2 - divide and round up
++ * @n: numerator
++ * @d: denominator (must be a power of 2)
++ *
++ * Divides @n by @d and rounds up to next multiple of @d (which must be a power
++ * of 2). Avoids integer overflows that may occur with __KERNEL_DIV_ROUND_UP().
++ * Performance is roughly equivalent to __KERNEL_DIV_ROUND_UP().
++ */
++#define DIV_ROUND_UP_POW2(n, d) \
++      ((n) / (d) + !!((n) & ((d) - 1)))
++
+ #define DIV_ROUND_UP __KERNEL_DIV_ROUND_UP
+ 
+ #define DIV_ROUND_DOWN_ULL(ll, d) \

diff --git a/queue-6.6/series b/queue-6.6/series
index ae31e210500bab7923a42cb507fdbed121776ae6..787759cd92690ef968b897f6c04989e420bc05d6 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -107,3 +107,4 @@ selftests-bpf-adapt-one-more-case-in-test_lru_map-to-the-new-target_free.patch
 smb-client-fix-potential-race-in-cifs_put_tcon.patch
 kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch
 ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch
+crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch