From: Greg Kroah-Hartman Date: Tue, 15 Jul 2025 15:35:30 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v5.4.296~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=109984525f19fe72be58d7324230c7c68a8aa066;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch --- diff --git a/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch b/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch new file mode 100644 index 0000000000..71f981f978 --- /dev/null +++ b/queue-6.6/crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch @@ -0,0 +1,64 @@ +From b16510a530d1e6ab9683f04f8fb34f2e0f538275 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 2 Feb 2025 20:00:52 +0100 +Subject: crypto: ecdsa - Harden against integer overflows in DIV_ROUND_UP() + +From: Lukas Wunner + +commit b16510a530d1e6ab9683f04f8fb34f2e0f538275 upstream. + +Herbert notes that DIV_ROUND_UP() may overflow unnecessarily if an ecdsa +implementation's ->key_size() callback returns an unusually large value. +Herbert instead suggests (for a division by 8): + + X / 8 + !!(X & 7) + +Based on this formula, introduce a generic DIV_ROUND_UP_POW2() macro and +use it in lieu of DIV_ROUND_UP() for ->key_size() return values. + +Additionally, use the macro in ecc_digits_from_bytes(), whose "nbytes" +parameter is a ->key_size() return value in some instances, or a +user-specified ASN.1 length in the case of ecdsa_get_signature_rs(). + +Link: https://lore.kernel.org/r/Z3iElsILmoSu6FuC@gondor.apana.org.au/ +Signed-off-by: Lukas Wunner +Signed-off-by: Lukas Wunner +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ecc.c | 2 +- + include/linux/math.h | 12 ++++++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/crypto/ecc.c ++++ b/crypto/ecc.c +@@ -69,7 +69,7 @@ EXPORT_SYMBOL(ecc_get_curve); + void ecc_digits_from_bytes(const u8 *in, unsigned int nbytes, + u64 *out, unsigned int ndigits) + { +- int diff = ndigits - DIV_ROUND_UP(nbytes, sizeof(u64)); ++ int diff = ndigits - DIV_ROUND_UP_POW2(nbytes, sizeof(u64)); + unsigned int o = nbytes & 7; + __be64 msd = 0; + +--- a/include/linux/math.h ++++ b/include/linux/math.h +@@ -34,6 +34,18 @@ + */ + #define round_down(x, y) ((x) & ~__round_mask(x, y)) + ++/** ++ * DIV_ROUND_UP_POW2 - divide and round up ++ * @n: numerator ++ * @d: denominator (must be a power of 2) ++ * ++ * Divides @n by @d and rounds up to next multiple of @d (which must be a power ++ * of 2). Avoids integer overflows that may occur with __KERNEL_DIV_ROUND_UP(). ++ * Performance is roughly equivalent to __KERNEL_DIV_ROUND_UP(). ++ */ ++#define DIV_ROUND_UP_POW2(n, d) \ ++ ((n) / (d) + !!((n) & ((d) - 1))) ++ + #define DIV_ROUND_UP __KERNEL_DIV_ROUND_UP + + #define DIV_ROUND_DOWN_ULL(ll, d) \ diff --git a/queue-6.6/series b/queue-6.6/series index ae31e21050..787759cd92 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -107,3 +107,4 @@ selftests-bpf-adapt-one-more-case-in-test_lru_map-to-the-new-target_free.patch smb-client-fix-potential-race-in-cifs_put_tcon.patch kasan-remove-kasan_find_vm_area-to-prevent-possible-deadlock.patch ksmbd-fix-potential-use-after-free-in-oplock-lease-break-ack.patch +crypto-ecdsa-harden-against-integer-overflows-in-div_round_up.patch