1. 10 Nov, 2017 9 commits
    • Eric Biggers's avatar
      lib/mpi: call cond_resched() from mpi_powm() loop · 1d9ddde1
      Eric Biggers authored
      On a non-preemptible kernel, if KEYCTL_DH_COMPUTE is called with the
      largest permitted inputs (16384 bits), the kernel spends 10+ seconds
      doing modular exponentiation in mpi_powm() without rescheduling.  If all
      threads do it, it locks up the system.  Moreover, it can cause
      rcu_sched-stall warnings.
      
      Notwithstanding the insanity of doing this calculation in kernel mode
      rather than in userspace, fix it by calling cond_resched() as each bit
      from the exponent is processed.  It's still noninterruptible, but at
      least it's preemptible now.
      
      Do the cond_resched() once per bit rather than once per MPI limb because
      each limb might still easily take 100+ milliseconds on slow CPUs.
      
      Cc: <stable@vger.kernel.org> # v4.12+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1d9ddde1
    • Lionel Debieve's avatar
      crypto: stm32/hash - Fix return issue on update · 63c53823
      Lionel Debieve authored
      When data append reached the threshold for processing,
      we must inform that processing is on going to wait before
      managing the next request.
      Signed-off-by: default avatarLionel Debieve <lionel.debieve@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      63c53823
    • Eric Biggers's avatar
      crypto: dh - Remove pointless checks for NULL 'p' and 'g' · ced6a586
      Eric Biggers authored
      Neither 'p' nor 'g' can be NULL, as they were unpacked using
      crypto_dh_decode_key().  And it makes no sense for them to be optional.
      So remove the NULL checks that were copy-and-pasted into both modules.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ced6a586
    • Eric Biggers's avatar
      crypto: qat - Clean up error handling in qat_dh_set_secret() · 5829cc8d
      Eric Biggers authored
      Update the error handling in qat_dh_set_secret() to mirror
      dh_set_secret().  The new version is less error-prone because freeing
      memory and setting the pointers to NULL is now only done in one place.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5829cc8d
    • Eric Biggers's avatar
      crypto: dh - Don't permit 'key' or 'g' size longer than 'p' · ccd9888f
      Eric Biggers authored
      The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
      into a buffer with size 'p_size'.  However it was never checked that
      that was actually the case, which most likely allowed users to cause a
      buffer underflow via KEYCTL_DH_COMPUTE.
      
      Fix this by updating crypto_dh_decode_key() to verify this precondition
      for all DH implementations.
      
      Fixes: c9839143 ("crypto: qat - Add DH support")
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ccd9888f
    • Eric Biggers's avatar
      crypto: dh - Don't permit 'p' to be 0 · 199512b1
      Eric Biggers authored
      If 'p' is 0 for the software Diffie-Hellman implementation, then
      dh_max_size() returns 0.  In the case of KEYCTL_DH_COMPUTE, this causes
      ZERO_SIZE_PTR to be passed to sg_init_one(), which with
      CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
      sg_set_buf().
      
      Fix this by making crypto_dh_decode_key() reject 0 for 'p'.  p=0 makes
      no sense for any DH implementation because 'p' is supposed to be a prime
      number.  Moreover, 'mod 0' is not mathematically defined.
      
      Bug report:
      
          kernel BUG at ./include/linux/scatterlist.h:140!
          invalid opcode: 0000 [#1] SMP KASAN
          CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
          task: ffff88006caac0c0 task.stack: ffff88006c7c8000
          RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
          RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
          RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216
          RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee
          RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0
          RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30
          R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30
          R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50
          FS:  00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000
          CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
          CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0
          Call Trace:
           __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
           keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
           SYSC_keyctl security/keys/keyctl.c:1745 [inline]
           SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x4585c9
          RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa
          RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9
          RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017
          RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000
          R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde
          R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000
          Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
          RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08
          RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08
      
      Fixes: 802c7f1c ("crypto: dh - Add DH software implementation")
      Cc: <stable@vger.kernel.org> # v4.8+
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      199512b1
    • Eric Biggers's avatar
      crypto: dh - Fix double free of ctx->p · 12d41a02
      Eric Biggers authored
      When setting the secret with the software Diffie-Hellman implementation,
      if allocating 'g' failed (e.g. if it was longer than
      MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
      once later when the crypto_kpp tfm was destroyed.
      
      Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
      paths, as that correctly sets the pointers to NULL.
      
      KASAN report:
      
          MPI: mpi too large (32760 bits)
          ==================================================================
          BUG: KASAN: use-after-free in mpi_free+0x131/0x170
          Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
      
          CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          Call Trace:
           dump_stack+0xb3/0x10b
           ? mpi_free+0x131/0x170
           print_address_description+0x79/0x2a0
           ? mpi_free+0x131/0x170
           kasan_report+0x236/0x340
           ? akcipher_register_instance+0x90/0x90
           __asan_report_load4_noabort+0x14/0x20
           mpi_free+0x131/0x170
           ? akcipher_register_instance+0x90/0x90
           dh_exit_tfm+0x3d/0x140
           crypto_kpp_exit_tfm+0x52/0x70
           crypto_destroy_tfm+0xb3/0x250
           __keyctl_dh_compute+0x640/0xe90
           ? kasan_slab_free+0x12f/0x180
           ? dh_data_from_key+0x240/0x240
           ? key_create_or_update+0x1ee/0xb20
           ? key_instantiate_and_link+0x440/0x440
           ? lock_contended+0xee0/0xee0
           ? kfree+0xcf/0x210
           ? SyS_add_key+0x268/0x340
           keyctl_dh_compute+0xb3/0xf1
           ? __keyctl_dh_compute+0xe90/0xe90
           ? SyS_add_key+0x26d/0x340
           ? entry_SYSCALL_64_fastpath+0x5/0xbe
           ? trace_hardirqs_on_caller+0x3f4/0x560
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
          RIP: 0033:0x43ccf9
          RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
          RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
          RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
          RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
          R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
          R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
      
          Allocated by task 367:
           save_stack_trace+0x16/0x20
           kasan_kmalloc+0xeb/0x180
           kmem_cache_alloc_trace+0x114/0x300
           mpi_alloc+0x4b/0x230
           mpi_read_raw_data+0xbe/0x360
           dh_set_secret+0x1dc/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
          Freed by task 367:
           save_stack_trace+0x16/0x20
           kasan_slab_free+0xab/0x180
           kfree+0xb5/0x210
           mpi_free+0xcb/0x170
           dh_set_secret+0x2d7/0x460
           __keyctl_dh_compute+0x623/0xe90
           keyctl_dh_compute+0xb3/0xf1
           SyS_keyctl+0x72/0x2c0
           entry_SYSCALL_64_fastpath+0x1f/0xbe
      
      Fixes: 802c7f1c ("crypto: dh - Add DH software implementation")
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      12d41a02
    • Florian Fainelli's avatar
      hwrng: iproc-rng200 - Add support for BCM7278 · c3577f61
      Florian Fainelli authored
      BCM7278 features a RNG200 hardware random number generator block, add
      support for this chip by matching the chip-specific compatible string
      and extending the Kconfig dependencies to allow building on ARCH_BRCMSTB
      (base platform for 7278).
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c3577f61
    • Florian Fainelli's avatar
      dt-bindings: rng: Document BCM7278 RNG200 compatible · 8ddef132
      Florian Fainelli authored
      BCM7278 includes a RGN200 hardware random number generator, document the
      compatible string for that version of the IP.
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8ddef132
  2. 06 Nov, 2017 8 commits
  3. 03 Nov, 2017 23 commits