- 03 Jul, 2019 3 commits
-
-
Eric Biggers authored
Michal Suchanek reported [1] that running the pcrypt_aead01 test from LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg(). The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG. The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to unregister isn't a real registered algorithm, but rather is a "test larval", which is a special "algorithm" added to the algorithms list while the real algorithm is still being tested. Larvals don't have initialized cra_users, so that causes the crash. Normally pcrypt_aead01 doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted. Everything else in the "crypto user configuration" API has this same bug too, i.e. it inappropriately allows operating on larval algorithms (though it doesn't look like the other cases can cause a crash). Fix this by making crypto_alg_match() exclude larval algorithms. [1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de [2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.cReported-by:
Michal Suchanek <msuchanek@suse.de> Fixes: a38f7907 ("crypto: Add userspace configuration API") Cc: <stable@vger.kernel.org> # v3.2+ Cc: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Vincent Whitchurch authored
cryptd_skcipher_free() fails to free the struct skcipher_instance allocated in cryptd_create_skcipher(), leading to a memory leak. This is detected by kmemleak on bootup on ARM64 platforms: unreferenced object 0xffff80003377b180 (size 1024): comm "cryptomgr_probe", pid 822, jiffies 4294894830 (age 52.760s) backtrace: kmem_cache_alloc_trace+0x270/0x2d0 cryptd_create+0x990/0x124c cryptomgr_probe+0x5c/0x1e8 kthread+0x258/0x318 ret_from_fork+0x10/0x1c Fixes: 4e0958d1 ("crypto: cryptd - Add support for skcipher") Cc: <stable@vger.kernel.org> Signed-off-by:Vincent Whitchurch <vincent.whitchurch@axis.com> Signed-off-by:
-
Herbert Xu authored
Sometimes mpi_powm will leak karactx because a memory allocation failure causes a bail-out that skips the freeing of karactx. This patch moves the freeing of karactx to the end of the function like everything else so that it can't be skipped. Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files...") Cc: <stable@vger.kernel.org> Signed-off-by:
Eric Biggers <ebiggers@kernel.org> Signed-off-by:
-
- 30 May, 2019 2 commits
-
-
Eric Biggers authored
When I added the sanity check of 'descsize', I missed that the child hash tfm needs to be freed if the sanity check fails. Of course this should never happen, hence the use of WARN_ON(), but it should be fixed. Fixes: e1354400 ("crypto: hash - fix incorrect HASH_MAX_DESCSIZE") Signed-off-by:
-
Eric Biggers authored
"jitterentropy_rng" doesn't have any other implementations, nor is it tested by the crypto self-tests. So it was unnecessary to change it to subsys_initcall. Also it depends on the main clocksource being initialized, which may happen after subsys_initcall, causing this error: jitterentropy: Initialization failed with host not compliant with requirements: 2 Change it back to module_init(). Fixes: c4741b23 ("crypto: run initcalls for generic implementations earlier") Reported-by:Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by:
Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by:
-
- 17 May, 2019 4 commits
-
-
Daniel Axtens authored
VMX ghash was using a fallback that did not support interleaving simd and nosimd operations, leading to failures in the extended test suite. If I understood correctly, Eric's suggestion was to use the same data format that the generic code uses, allowing us to call into it with the same contexts. I wasn't able to get that to work - I think there's a very different key structure and data layout being used. So instead steal the arm64 approach and perform the fallback operations directly if required. Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module") Cc: stable@vger.kernel.org # v4.1+ Reported-by:
Daniel Axtens <dja@axtens.net> Acked-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Tested-by:
Michael Ellerman <mpe@ellerman.id.au> Signed-off-by:
-
Daniel Axtens authored
The kernel self-tests picked up an issue with CTR mode: alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep" Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so after 3 increments it should wrap around to 0. In the aesp8-ppc code from OpenSSL, there are two paths that increment IVs: the bulk (8 at a time) path, and the individual path which is used when there are fewer than 8 AES blocks to process. In the bulk path, the IV is incremented with vadduqm: "Vector Add Unsigned Quadword Modulo", which does 128-bit addition. In the individual path, however, the IV is incremented with vadduwm: "Vector Add Unsigned Word Modulo", which instead does 4 32-bit additions. Thus the IV would instead become FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result. Use vadduqm. This was probably a typo originally, what with q and w being adjacent. It is a pretty narrow edge case: I am really impressed by the quality of the kernel self-tests! Fixes: 5c380d62 ("crypto: vmx - Add support for VMS instructions by ASM") Cc: stable@vger.kernel.org Signed-off-by:
Nayna Jain <nayna@linux.ibm.com> Tested-by:
-
Eric Biggers authored
The "hmac(sha3-224-generic)" algorithm has a descsize of 368 bytes, which is greater than HASH_MAX_DESCSIZE (360) which is only enough for sha3-224-generic. The check in shash_prepare_alg() doesn't catch this because the HMAC template doesn't set descsize on the algorithms, but rather sets it on each individual HMAC transform. This causes a stack buffer overflow when SHASH_DESC_ON_STACK() is used with hmac(sha3-224-generic). Fix it by increasing HASH_MAX_DESCSIZE to the real maximum. Also add a sanity check to hmac_init(). This was detected by the improved crypto self-tests in v5.2, by loading the tcrypt module with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y enabled. I didn't notice this bug when I ran the self-tests by requesting the algorithms via AF_ALG (i.e., not using tcrypt), probably because the stack layout differs in the two cases and that made a difference here. KASAN report: BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:359 [inline] BUG: KASAN: stack-out-of-bounds in shash_default_import+0x52/0x80 crypto/shash.c:223 Write of size 360 at addr ffff8880651defc8 by task insmod/3689 CPU: 2 PID: 3689 Comm: insmod Tainted: G E 5.1.0-10741-g35c99ffa #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x86/0xc5 lib/dump_stack.c:113 print_address_description+0x7f/0x260 mm/kasan/report.c:188 __kasan_report+0x144/0x187 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x137/0x190 mm/kasan/generic.c:191 memcpy+0x37/0x50 mm/kasan/common.c:125 memcpy include/linux/string.h:359 [inline] shash_default_import+0x52/0x80 crypto/shash.c:223 crypto_shash_import include/crypto/hash.h:880 [inline] hmac_import+0x184/0x240 crypto/hmac.c:102 hmac_init+0x96/0xc0 crypto/hmac.c:107 crypto_shash_init include/crypto/hash.h:902 [inline] shash_digest_unaligned+0x9f/0xf0 crypto/shash.c:194 crypto_shash_digest+0xe9/0x1b0 crypto/shash.c:211 generate_random_hash_testvec.constprop.11+0x1ec/0x5b0 crypto/testmgr.c:1331 test_hash_vs_generic_impl+0x3f7/0x5c0 crypto/testmgr.c:1420 __alg_test_hash+0x26d/0x340 crypto/testmgr.c:1502 alg_test_hash+0x22e/0x330 crypto/testmgr.c:1552 alg_test.part.7+0x132/0x610 crypto/testmgr.c:4931 alg_test+0x1f/0x40 crypto/testmgr.c:4952 Fixes: b68a7ec1 ("crypto: hash - Remove VLA usage") Reported-by:Corentin Labbe <clabbe.montjoie@gmail.com> Cc: <stable@vger.kernel.org> # v4.20+ Cc: Kees Cook <keescook@chromium.org> Signed-off-by:
Kees Cook <keescook@chromium.org> Tested-by:
-
Iuliana Prodan authored
Fix a typo in the list of i.MX6 devices affected by an issue wherein AXI bus transactions may not occur in the correct order. Fixes: 33d69455 ("crypto: caam - limit AXI pipeline to a depth of 1") Signed-off-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Reviewed-by:
Horia Geantă <horia.geanta@nxp.com> Signed-off-by:
-
- 09 May, 2019 7 commits
-
-
Herbert Xu authored
This reverts commit bbfcac5f. It caused a crash regression on powerpc: https://lore.kernel.org/linux-crypto/87pnp2aflz.fsf@concordia.ellerman.id.au/Signed-off-by:
-
Iuliana Prodan authored
Fix caam_dump_sg by correctly determining the next scatterlist entry in the list. Fixes: 5ecf8ef9 ("crypto: caam - fix sg dump") Signed-off-by:
-
Herbert Xu authored
The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey. This patch fixes this by introducing a new flag for DKP and setting that where needed. Fixes: 1b52c409 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") Reported-by:
-
Atul Gupta authored
Modified the maintainer name Signed-off-by:
Atul Gupta <atul.gupta@chelsio.com> Signed-off-by:
-
Atul Gupta authored
The partial block should count as one and appropriately appended to IV. eg 499B for AES CTR should count 32 block than 31 and correct count value is updated in iv out. Signed-off-by:
-
Atul Gupta authored
removed un-necessary lock_chcr_dev to protect device state DETACH. lock is not required to protect I/O count Signed-off-by:
-
Atul Gupta authored
Do not request FW to generate cidx update if there is less space in tx queue to post new request. SGE DBP 1 pidx increment too large BUG: unable to handle kernel NULL pointer dereference at 0000000000000124 SGE error for queue 101 Signed-off-by:
-
- 03 May, 2019 16 commits
-
-
Gilad Ben-Yossef authored
We build an explicit little endian value from the IDR register values. Use a proper le32 type to mark the var as such to satisfy Sparse. Signed-off-by:
Gilad Ben-Yossef <gilad@benyossef.com> Reported-by:
kbuild test robot <lkp@intel.com> Fixes: dcf6285d ("crypto: ccree - add CID and PID support") Signed-off-by:
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/crypto/ccree/cc_cipher.c: In function cc_setup_key_desc: drivers/crypto/ccree/cc_cipher.c:645:15: warning: variable du_size set but not used [-Wunused-but-set-variable] It is never used since introduction in commit dd8486c7 ("crypto: ccree - move key load desc. before flow desc.") Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
YueHaibing authored
Fix sparse warning: drivers/crypto/ccree/cc_driver.c:37:6: warning: symbol 'cc_sec_disable' was not declared. Should it be static? Signed-off-by:
-
Colin Ian King authored
There is a spelling mistake in a dev_dbg message, fix it. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Acked-By:
-
Horia Geantă authored
Commit 30724445 ("crypto: caam - generate hash keys in-place") fixed ahash implementation in caam/jr driver such that user-provided key buffer is not DMA mapped, since it's not guaranteed to be DMAable. Apply a similar fix for caam/qi2 driver. Cc: <stable@vger.kernel.org> # v4.20+ Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms") Signed-off-by:
-
Horia Geantă authored
Commits c19650d6 ("crypto: caam - fix DMA mapping of stack memory") and 65055e21 ("crypto: caam - fix hash context DMA unmap size") fixed the ahash implementation in caam/jr driver such that req->result is not DMA-mapped (since it's not guaranteed to be DMA-able). Apply a similar fix for ahash implementation in caam/qi2 driver. Cc: <stable@vger.kernel.org> # v4.20+ Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms") Signed-off-by:
-
Horia Geantă authored
Commit 04e6d25c ("crypto: caam - fix zero-length buffer DMA mapping") fixed an issue in caam/jr driver where ahash implementation was DMA mapping a zero-length buffer. Current commit applies a similar fix for caam/qi2 driver. Cc: <stable@vger.kernel.org> # v4.20+ Fixes: 3f16f6c9 ("crypto: caam/qi2 - add support for ahash algorithms") Signed-off-by:
-
Lionel Debieve authored
The kernel crypto API request output the next IV data to IV buffer for CBC implementation. Signed-off-by:
Lionel Debieve <lionel.debieve@st.com> Signed-off-by:
-
Lionel Debieve authored
Mutex is badly used between threaded irq and driver. This mutex must be removed as the framework must ensure that requests must be serialized to avoid issue. Rework req to avoid crash during finalize by fixing the NULL pointer issue. Signed-off-by:
-
Lionel Debieve authored
Add weak key test for des functions calling the generic des_ekey. Signed-off-by:
-
YueHaibing authored
Fixes gcc '-Wunused-but-set-variable' warning: drivers/crypto/atmel-tdes.c: In function 'atmel_tdes_setkey': drivers/crypto/atmel-tdes.c:803:14: warning: variable 'alg_name' set but not used [-Wunused-but-set-variable] It is not used any more since commit 52ea3cd2 ("crypto: atmel - Forbid 2-key 3DES in FIPS mode") Signed-off-by:
Nicolas Ferre <nicolas.ferre@microchip.com> Reviewed-by:
Tudor Ambarus <tudor.ambarus@microchip.com> Signed-off-by:
-
Kefeng Wang authored
Using dev_get_drvdata directly. Cc: Jamie Iles <jamie@jamieiles.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: "David S. Miller" <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Signed-off-by:
Kefeng Wang <wangkefeng.wang@huawei.com> Signed-off-by:
-
Christian Lamparter authored
using_sd is used as a stand-in for sa_command_0.bf.scatter that we need to set anyway, so we might as well just prevent double-accounting. Signed-off-by:
Christian Lamparter <chunkeey@gmail.com> Signed-off-by:
-
Christian Lamparter authored
This replaces struct crypto_skcipher and the extra request size with struct crypto_sync_skcipher and SYNC_SKCIPHER_REQUEST_ON_STACK(), which uses a fixed stack size. Signed-off-by:
-
Christian Lamparter authored
Currently, crypto4xx CFB and OFB AES ciphers are failing testmgr's test vectors. |cfb-aes-ppc4xx encryption overran dst buffer on test vector 3, cfg="in-place" |ofb-aes-ppc4xx encryption overran dst buffer on test vector 1, cfg="in-place" This is because of a very subtile "bug" in the hardware that gets indirectly mentioned in 18.1.3.5 Encryption/Decryption of the hardware spec: the OFB and CFB modes for AES are listed there as operation modes for >>> "Block ciphers" <<<. Which kind of makes sense, but we would like them to be considered as stream ciphers just like the CTR mode. To workaround this issue and stop the hardware from causing "overran dst buffer" on crypttexts that are not a multiple of 16 (AES_BLOCK_SIZE), we force the driver to use the scatter buffers as the go-between. As a bonus this patch also kills redundant pd_uinfo->num_gd and pd_uinfo->num_sd setters since the value has already been set before. Cc: stable@vger.kernel.org Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads") Signed-off-by:
-
Christian Lamparter authored
Commit 8efd972e ("crypto: testmgr - support checking skcipher output IV") caused the crypto4xx driver to produce the following error: | ctr-aes-ppc4xx encryption test failed (wrong output IV) | on test vector 0, cfg="in-place" This patch fixes this by reworking the crypto4xx_setkey_aes() function to: - not save the iv for ECB (as per 18.2.38 CRYP0_SA_CMD_0: "This bit mut be cleared for DES ECB mode or AES ECB mode, when no IV is used.") - instruct the hardware to save the generated IV for all other modes of operations that have IV and then supply it back to the callee in pretty much the same way as we do it for cbc-aes already. - make it clear that the DIR_(IN|OUT)BOUND is the important bit that tells the hardware to encrypt or decrypt the data. (this is cosmetic - but it hopefully prevents me from getting confused again). - don't load any bogus hash when we don't use any hash operation to begin with. Cc: stable@vger.kernel.org Fixes: f2a13e7c ("crypto: crypto4xx - enable AES RFC3686, ECB, CFB and OFB offloads") Signed-off-by:
-
- 25 Apr, 2019 8 commits
-
-
Vitaly Chikunov authored
Fix undefined symbol issue in ecrdsa_generic module when ASN1 or OID_REGISTRY aren't enabled in the config by selecting these options for CRYPTO_ECRDSA. ERROR: "asn1_ber_decoder" [crypto/ecrdsa_generic.ko] undefined! ERROR: "look_up_OID" [crypto/ecrdsa_generic.ko] undefined! Reported-by:
Randy Dunlap <rdunlap@infradead.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Vitaly Chikunov <vt@altlinux.org> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Signed-off-by:
-
Masahiro Yamada authored
Instead of adding CFLAGS_<basename>.o to every file, let's use ccflags-y, which is effective for all C files in the directory. No behavior change. Signed-off-by:
Masahiro Yamada <yamada.masahiro@socionext.com> Signed-off-by:
-
Ofir Drang authored
in order to support cryptocell tee fips error that may occurs while cryptocell ree is suspended, an cc_tee_handle_fips_error call added to the cc_pm_resume function. Signed-off-by:
Ofir Drang <ofir.drang@arm.com> Signed-off-by:
-
Ofir Drang authored
Adds function that checks if cryptocell tee fips error occurred and in such case triggers system error through kernel panic. Change fips function to use this new routine. Signed-off-by:
-
Ofir Drang authored
During power management suspend the driver need to prepare the device for the power down operation and as a last indication write to the HOST_POWER_DOWN_EN register which signals to the hardware that The ccree is ready for power down. Signed-off-by:
-
Ofir Drang authored
AXIM configuration register modified in cc7x3 and no longer includes AXI interrupt masking fields. Signed-off-by:
-
Ofir Drang authored
On power management resume function first enable the device clk source to allow access to the device registers. Signed-off-by:
-
Gilad Ben-Yossef authored
The AEAD authenc key and IVs might be passed to us on stack. Copy it to a slab buffer before mapping to gurantee proper DMA mapping. Signed-off-by:
-
