1. 11 Jan, 2019 28 commits
  2. 10 Jan, 2019 11 commits
    • Eric Biggers's avatar
      crypto: sm3 - fix undefined shift by >= width of value · d45a90cb
      Eric Biggers authored
      sm3_compress() calls rol32() with shift >= 32, which causes undefined
      behavior.  This is easily detected by enabling CONFIG_UBSAN.
      
      Explicitly AND with 31 to make the behavior well defined.
      
      Fixes: 4f0fc160 ("crypto: sm3 - add OSCCA SM3 secure hash")
      Cc: <stable@vger.kernel.org> # v4.15+
      Cc: Gilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d45a90cb
    • Christophe Leroy's avatar
      crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK · 1bea445b
      Christophe Leroy authored
      [    2.364486] WARNING: CPU: 0 PID: 60 at ./arch/powerpc/include/asm/io.h:837 dma_nommu_map_page+0x44/0xd4
      [    2.373579] CPU: 0 PID: 60 Comm: cryptomgr_test Tainted: G        W         4.20.0-rc5-00560-g6bfb52e23a00-dirty #531
      [    2.384740] NIP:  c000c540 LR: c000c584 CTR: 00000000
      [    2.389743] REGS: c95abab0 TRAP: 0700   Tainted: G        W          (4.20.0-rc5-00560-g6bfb52e23a00-dirty)
      [    2.400042] MSR:  00029032 <EE,ME,IR,DR,RI>  CR: 24042204  XER: 00000000
      [    2.406669]
      [    2.406669] GPR00: c02f2244 c95abb60 c6262990 c95abd80 0000256a 00000001 00000001 00000001
      [    2.406669] GPR08: 00000000 00002000 00000010 00000010 24042202 00000000 00000100 c95abd88
      [    2.406669] GPR16: 00000000 c05569d4 00000001 00000010 c95abc88 c0615664 00000004 00000000
      [    2.406669] GPR24: 00000010 c95abc88 c95abc88 00000000 c61ae210 c7ff6d40 c61ae210 00003d68
      [    2.441559] NIP [c000c540] dma_nommu_map_page+0x44/0xd4
      [    2.446720] LR [c000c584] dma_nommu_map_page+0x88/0xd4
      [    2.451762] Call Trace:
      [    2.454195] [c95abb60] [82000808] 0x82000808 (unreliable)
      [    2.459572] [c95abb80] [c02f2244] talitos_edesc_alloc+0xbc/0x3c8
      [    2.465493] [c95abbb0] [c02f2600] ablkcipher_edesc_alloc+0x4c/0x5c
      [    2.471606] [c95abbd0] [c02f4ed0] ablkcipher_encrypt+0x20/0x64
      [    2.477389] [c95abbe0] [c02023b0] __test_skcipher+0x4bc/0xa08
      [    2.483049] [c95abe00] [c0204b60] test_skcipher+0x2c/0xcc
      [    2.488385] [c95abe20] [c0204c48] alg_test_skcipher+0x48/0xbc
      [    2.494064] [c95abe40] [c0205cec] alg_test+0x164/0x2e8
      [    2.499142] [c95abf00] [c0200dec] cryptomgr_test+0x48/0x50
      [    2.504558] [c95abf10] [c0039ff4] kthread+0xe4/0x110
      [    2.509471] [c95abf40] [c000e1d0] ret_from_kernel_thread+0x14/0x1c
      [    2.515532] Instruction dump:
      [    2.518468] 7c7e1b78 7c9d2378 7cbf2b78 41820054 3d20c076 8089c200 3d20c076 7c84e850
      [    2.526127] 8129c204 7c842e70 7f844840 419c0008 <0fe00000> 2f9e0000 54847022 7c84fa14
      [    2.533960] ---[ end trace bf78d94af73fe3b8 ]---
      [    2.539123] talitos ff020000.crypto: master data transfer error
      [    2.544775] talitos ff020000.crypto: TEA error: ISR 0x20000000_00000040
      [    2.551625] alg: skcipher: encryption failed on test 1 for ecb-aes-talitos: ret=22
      
      IV cannot be on stack when CONFIG_VMAP_STACK is selected because the stack
      cannot be DMA mapped anymore.
      
      This patch copies the IV into the extended descriptor.
      
      Fixes: 4de9d0b5 ("crypto: talitos - Add ablkcipher algorithms")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1bea445b
    • Christophe Leroy's avatar
      crypto: talitos - reorder code in talitos_edesc_alloc() · c56c2e17
      Christophe Leroy authored
      This patch moves the mapping of IV after the kmalloc(). This
      avoids having to unmap in case kmalloc() fails.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c56c2e17
    • Eric Biggers's avatar
      crypto: adiantum - initialize crypto_spawn::inst · 6db43410
      Eric Biggers authored
      crypto_grab_*() doesn't set crypto_spawn::inst, so templates must set it
      beforehand.  Otherwise it will be left NULL, which causes a crash in
      certain cases where algorithms are dynamically loaded/unloaded.  E.g.
      with CONFIG_CRYPTO_CHACHA20_X86_64=m, the following caused a crash:
      
          insmod chacha-x86_64.ko
          python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind(("skcipher", "adiantum(xchacha12,aes)"))'
          rmmod chacha-x86_64.ko
          python -c 'import socket; socket.socket(socket.AF_ALG, 5, 0).bind(("skcipher", "adiantum(xchacha12,aes)"))'
      
      Fixes: 059c2a4d ("crypto: adiantum - add Adiantum support")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6db43410
    • Dan Carpenter's avatar
      crypto: cavium/nitrox - Use after free in process_response_list() · 06bbf753
      Dan Carpenter authored
      We free "sr" and then dereference it on the next line.
      
      Fixes: c9613335 ("crypto: cavium/nitrox - Added AEAD cipher support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      06bbf753
    • Harsh Jain's avatar
      crypto: authencesn - Avoid twice completion call in decrypt path · a7773363
      Harsh Jain authored
      Authencesn template in decrypt path unconditionally calls aead_request_complete
      after ahash_verify which leads to following kernel panic in after decryption.
      
      [  338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      [  338.548372] PGD 0 P4D 0
      [  338.551157] Oops: 0000 [#1] SMP PTI
      [  338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G        W I       4.19.7+ #13
      [  338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0        07/29/10
      [  338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
      [  338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
      [  338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
      [  338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
      [  338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
      [  338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
      [  338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
      [  338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
      [  338.643234] FS:  0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
      [  338.652047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
      [  338.666382] Call Trace:
      [  338.669051]  <IRQ>
      [  338.671254]  esp_input_done+0x12/0x20 [esp4]
      [  338.675922]  chcr_handle_resp+0x3b5/0x790 [chcr]
      [  338.680949]  cpl_fw6_pld_handler+0x37/0x60 [chcr]
      [  338.686080]  chcr_uld_rx_handler+0x22/0x50 [chcr]
      [  338.691233]  uldrx_handler+0x8c/0xc0 [cxgb4]
      [  338.695923]  process_responses+0x2f0/0x5d0 [cxgb4]
      [  338.701177]  ? bitmap_find_next_zero_area_off+0x3a/0x90
      [  338.706882]  ? matrix_alloc_area.constprop.7+0x60/0x90
      [  338.712517]  ? apic_update_irq_cfg+0x82/0xf0
      [  338.717177]  napi_rx_handler+0x14/0xe0 [cxgb4]
      [  338.722015]  net_rx_action+0x2aa/0x3e0
      [  338.726136]  __do_softirq+0xcb/0x280
      [  338.730054]  irq_exit+0xde/0xf0
      [  338.733504]  do_IRQ+0x54/0xd0
      [  338.736745]  common_interrupt+0xf/0xf
      
      Fixes: 104880a6 ("crypto: authencesn - Convert to new AEAD...")
      Signed-off-by: default avatarHarsh Jain <harsh@chelsio.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a7773363
    • Horia Geantă's avatar
      crypto: caam - fix SHA support detection · 2dd3fde4
      Horia Geantă authored
      The addition of Chacha20 + Poly1305 authenc support inadvertently broke
      detection of algorithms supported by MDHA (Message Digest Hardware
      Accelerator), fix it.
      
      Fixes: d6bbd4ee ("crypto: caam/jr - add support for Chacha20 + Poly1305")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2dd3fde4
    • Aymen Sghaier's avatar
      crypto: caam - fix zero-length buffer DMA mapping · 04e6d25c
      Aymen Sghaier authored
      Recent changes - probably DMA API related (generic and/or arm64-specific) -
      exposed a case where driver maps a zero-length buffer:
      ahash_init()->ahash_update()->ahash_final() with a zero-length string to
      hash
      
      kernel BUG at kernel/dma/swiotlb.c:475!
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 2 PID: 1823 Comm: cryptomgr_test Not tainted 4.20.0-rc1-00108-g00c9fe37 #1
      Hardware name: LS1046A RDB Board (DT)
      pstate: 80000005 (Nzcv daif -PAN -UAO)
      pc : swiotlb_tbl_map_single+0x170/0x2b8
      lr : swiotlb_map_page+0x134/0x1f8
      sp : ffff00000f79b8f0
      x29: ffff00000f79b8f0 x28: 0000000000000000
      x27: ffff0000093d0000 x26: 0000000000000000
      x25: 00000000001f3ffe x24: 0000000000200000
      x23: 0000000000000000 x22: 00000009f2c538c0
      x21: ffff800970aeb410 x20: 0000000000000001
      x19: ffff800970aeb410 x18: 0000000000000007
      x17: 000000000000000e x16: 0000000000000001
      x15: 0000000000000019 x14: c32cb8218a167fe8
      x13: ffffffff00000000 x12: ffff80097fdae348
      x11: 0000800976bca000 x10: 0000000000000010
      x9 : 0000000000000000 x8 : ffff0000091fd6c8
      x7 : 0000000000000000 x6 : 00000009f2c538bf
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : 0000000000000000 x2 : 00000009f2c538c0
      x1 : 00000000f9fff000 x0 : 0000000000000000
      Process cryptomgr_test (pid: 1823, stack limit = 0x(____ptrval____))
      Call trace:
       swiotlb_tbl_map_single+0x170/0x2b8
       swiotlb_map_page+0x134/0x1f8
       ahash_final_no_ctx+0xc4/0x6cc
       ahash_final+0x10/0x18
       crypto_ahash_op+0x30/0x84
       crypto_ahash_final+0x14/0x1c
       __test_hash+0x574/0xe0c
       test_hash+0x28/0x80
       __alg_test_hash+0x84/0xd0
       alg_test_hash+0x78/0x144
       alg_test.part.30+0x12c/0x2b4
       alg_test+0x3c/0x68
       cryptomgr_test+0x44/0x4c
       kthread+0xfc/0x128
       ret_from_fork+0x10/0x18
      Code: d34bfc18 2a1a03f7 1a9f8694 35fff89a (d4210000)
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAymen Sghaier <aymen.sghaier@nxp.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      04e6d25c
    • Eric Biggers's avatar
      crypto: ccree - convert to use crypto_authenc_extractkeys() · dc95b535
      Eric Biggers authored
      Convert the ccree crypto driver to use crypto_authenc_extractkeys() so
      that it picks up the fix for broken validation of rtattr::rta_len.
      
      Fixes: ff27e85a ("crypto: ccree - add AEAD support")
      Cc: <stable@vger.kernel.org> # v4.17+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dc95b535
    • Eric Biggers's avatar
      crypto: bcm - convert to use crypto_authenc_extractkeys() · ab57b335
      Eric Biggers authored
      Convert the bcm crypto driver to use crypto_authenc_extractkeys() so
      that it picks up the fix for broken validation of rtattr::rta_len.
      
      This also fixes the DES weak key check to actually be done on the right
      key. (It was checking the authentication key, not the encryption key...)
      
      Fixes: 9d12ba86 ("crypto: brcm - Add Broadcom SPU driver")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ab57b335
    • Eric Biggers's avatar
      crypto: authenc - fix parsing key with misaligned rta_len · 8f9c4693
      Eric Biggers authored
      Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
      'enckeylen', followed by an authentication key and an encryption key.
      crypto_authenc_extractkeys() parses the key to find the inner keys.
      
      However, it fails to consider the case where the rtattr's payload is
      longer than 4 bytes but not 4-byte aligned, and where the key ends
      before the next 4-byte aligned boundary.  In this case, 'keylen -=
      RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
      causes a buffer overread and crash during crypto_ahash_setkey().
      
      Fix it by restricting the rtattr payload to the expected size.
      
      Reproducer using AF_ALG:
      
      	#include <linux/if_alg.h>
      	#include <linux/rtnetlink.h>
      	#include <sys/socket.h>
      
      	int main()
      	{
      		int fd;
      		struct sockaddr_alg addr = {
      			.salg_type = "aead",
      			.salg_name = "authenc(hmac(sha256),cbc(aes))",
      		};
      		struct {
      			struct rtattr attr;
      			__be32 enckeylen;
      			char keys[1];
      		} __attribute__((packed)) key = {
      			.attr.rta_len = sizeof(key),
      			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
      		};
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
      	}
      
      It caused:
      
      	BUG: unable to handle kernel paging request at ffff88007ffdc000
      	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
      	Oops: 0000 [#1] SMP
      	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37 #13
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
      	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
      	[...]
      	Call Trace:
      	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
      	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
      	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
      	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
      	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
      	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
      	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
      	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
      	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
      	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
      	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
      	 alg_setkey crypto/af_alg.c:223 [inline]
      	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
      	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
      	 __do_sys_setsockopt net/socket.c:1913 [inline]
      	 __se_sys_setsockopt net/socket.c:1910 [inline]
      	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
      	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: e236d4a8 ("[CRYPTO] authenc: Move enckeylen into key itself")
      Cc: <stable@vger.kernel.org> # v2.6.25+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8f9c4693
  3. 07 Jan, 2019 1 commit