diff options
author | Justin M. Forbes <jforbes@redhat.com> | 2016-10-18 17:08:00 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@redhat.com> | 2016-10-18 17:08:00 -0500 |
commit | 7f02b9bea495c176b43b7674195179e208930a5d (patch) | |
tree | aae16bfd85a0710ad6733e145e4395b495c113b8 | |
parent | 3736ad1aa68b862e1df2594178108d6da1f59641 (diff) | |
download | kernel-7f02b9bea495c176b43b7674195179e208930a5d.tar.gz kernel-7f02b9bea495c176b43b7674195179e208930a5d.tar.xz kernel-7f02b9bea495c176b43b7674195179e208930a5d.zip |
Fix memory corruption caused by p8_ghash and xfs xattr issue
-rw-r--r-- | 0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch | 44 | ||||
-rw-r--r-- | 0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch | 81 | ||||
-rw-r--r-- | 0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch | 103 | ||||
-rw-r--r-- | kernel.spec | 11 |
4 files changed, 239 insertions, 0 deletions
diff --git a/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch b/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch new file mode 100644 index 000000000..c6a47831a --- /dev/null +++ b/0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch @@ -0,0 +1,44 @@ +From 791cc43b36eb1f88166c8505900cad1b43c7fe1a Mon Sep 17 00:00:00 2001 +From: Artem Savkov <asavkov@redhat.com> +Date: Wed, 14 Sep 2016 07:40:35 +1000 +Subject: [PATCH] Make __xfs_xattr_put_listen preperly report errors. + +Commit 2a6fba6 "xfs: only return -errno or success from attr ->put_listent" +changes the returnvalue of __xfs_xattr_put_listen to 0 in case when there is +insufficient space in the buffer assuming that setting context->count to -1 +would be enough, but all of the ->put_listent callers only check seen_enough. +This results in a failed assertion: +XFS: Assertion failed: context->count >= 0, file: fs/xfs/xfs_xattr.c, line: 175 +in insufficient buffer size case. + +This is only reproducible with at least 2 xattrs and only when the buffer +gets depleted before the last one. + +Furthermore if buffersize is such that it is enough to hold the last xattr's +name, but not enough to hold the sum of preceeding xattr names listxattr won't +fail with ERANGE, but will suceed returning last xattr's name without the +first character. The first character end's up overwriting data stored at +(context->alist - 1). + +Signed-off-by: Artem Savkov <asavkov@redhat.com> +Reviewed-by: Dave Chinner <dchinner@redhat.com> +Signed-off-by: Dave Chinner <david@fromorbit.com> +--- + fs/xfs/xfs_xattr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/xfs/xfs_xattr.c b/fs/xfs/xfs_xattr.c +index ea62245..6290093 100644 +--- a/fs/xfs/xfs_xattr.c ++++ b/fs/xfs/xfs_xattr.c +@@ -147,6 +147,7 @@ __xfs_xattr_put_listent( + arraytop = context->count + prefix_len + namelen + 1; + if (arraytop > context->firstu) { + context->count = -1; /* insufficient space */ ++ context->seen_enough = 1; + return 0; + } + offset = (char *)context->alist + context->count; +-- +2.7.4 + diff --git a/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch b/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch new file mode 100644 index 000000000..70fec4147 --- /dev/null +++ b/0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch @@ -0,0 +1,81 @@ +From a397ba829d7f8aff4c90af3704573a28ccd61a59 Mon Sep 17 00:00:00 2001 +From: Marcelo Cerri <marcelo.cerri@canonical.com> +Date: Wed, 28 Sep 2016 13:42:09 -0300 +Subject: [PATCH] crypto: ghash-generic - move common definitions to a new + header file + +Move common values and types used by ghash-generic to a new header file +so drivers can directly use ghash-generic as a fallback implementation. + +Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") +Cc: stable@vger.kernel.org +Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +--- + crypto/ghash-generic.c | 13 +------------ + include/crypto/ghash.h | 23 +++++++++++++++++++++++ + 2 files changed, 24 insertions(+), 12 deletions(-) + create mode 100644 include/crypto/ghash.h + +diff --git a/crypto/ghash-generic.c b/crypto/ghash-generic.c +index bac7099..12ad3e3 100644 +--- a/crypto/ghash-generic.c ++++ b/crypto/ghash-generic.c +@@ -14,24 +14,13 @@ + + #include <crypto/algapi.h> + #include <crypto/gf128mul.h> ++#include <crypto/ghash.h> + #include <crypto/internal/hash.h> + #include <linux/crypto.h> + #include <linux/init.h> + #include <linux/kernel.h> + #include <linux/module.h> + +-#define GHASH_BLOCK_SIZE 16 +-#define GHASH_DIGEST_SIZE 16 +- +-struct ghash_ctx { +- struct gf128mul_4k *gf128; +-}; +- +-struct ghash_desc_ctx { +- u8 buffer[GHASH_BLOCK_SIZE]; +- u32 bytes; +-}; +- + static int ghash_init(struct shash_desc *desc) + { + struct ghash_desc_ctx *dctx = shash_desc_ctx(desc); +diff --git a/include/crypto/ghash.h b/include/crypto/ghash.h +new file mode 100644 +index 0000000..2a61c9b +--- /dev/null ++++ b/include/crypto/ghash.h +@@ -0,0 +1,23 @@ ++/* ++ * Common values for GHASH algorithms ++ */ ++ ++#ifndef __CRYPTO_GHASH_H__ ++#define __CRYPTO_GHASH_H__ ++ ++#include <linux/types.h> ++#include <crypto/gf128mul.h> ++ ++#define GHASH_BLOCK_SIZE 16 ++#define GHASH_DIGEST_SIZE 16 ++ ++struct ghash_ctx { ++ struct gf128mul_4k *gf128; ++}; ++ ++struct ghash_desc_ctx { ++ u8 buffer[GHASH_BLOCK_SIZE]; ++ u32 bytes; ++}; ++ ++#endif +-- +2.7.4 + diff --git a/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch b/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch new file mode 100644 index 000000000..69bce6507 --- /dev/null +++ b/0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch @@ -0,0 +1,103 @@ +From 80da44c29d997e28c4442825f35f4ac339813877 Mon Sep 17 00:00:00 2001 +From: Marcelo Cerri <marcelo.cerri@canonical.com> +Date: Wed, 28 Sep 2016 13:42:10 -0300 +Subject: [PATCH] crypto: vmx - Fix memory corruption caused by p8_ghash + +This patch changes the p8_ghash driver to use ghash-generic as a fixed +fallback implementation. This allows the correct value of descsize to be +defined directly in its shash_alg structure and avoids problems with +incorrect buffer sizes when its state is exported or imported. + +Reported-by: Jan Stancek <jstancek@redhat.com> +Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module") +Cc: stable@vger.kernel.org +Signed-off-by: Marcelo Cerri <marcelo.cerri@canonical.com> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +--- + drivers/crypto/vmx/ghash.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +diff --git a/drivers/crypto/vmx/ghash.c b/drivers/crypto/vmx/ghash.c +index 6c999cb0..27a94a1 100644 +--- a/drivers/crypto/vmx/ghash.c ++++ b/drivers/crypto/vmx/ghash.c +@@ -26,16 +26,13 @@ + #include <linux/hardirq.h> + #include <asm/switch_to.h> + #include <crypto/aes.h> ++#include <crypto/ghash.h> + #include <crypto/scatterwalk.h> + #include <crypto/internal/hash.h> + #include <crypto/b128ops.h> + + #define IN_INTERRUPT in_interrupt() + +-#define GHASH_BLOCK_SIZE (16) +-#define GHASH_DIGEST_SIZE (16) +-#define GHASH_KEY_LEN (16) +- + void gcm_init_p8(u128 htable[16], const u64 Xi[2]); + void gcm_gmult_p8(u64 Xi[2], const u128 htable[16]); + void gcm_ghash_p8(u64 Xi[2], const u128 htable[16], +@@ -55,16 +52,11 @@ struct p8_ghash_desc_ctx { + + static int p8_ghash_init_tfm(struct crypto_tfm *tfm) + { +- const char *alg; ++ const char *alg = "ghash-generic"; + struct crypto_shash *fallback; + struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm); + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm); + +- if (!(alg = crypto_tfm_alg_name(tfm))) { +- printk(KERN_ERR "Failed to get algorithm name.\n"); +- return -ENOENT; +- } +- + fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK); + if (IS_ERR(fallback)) { + printk(KERN_ERR +@@ -78,10 +70,18 @@ static int p8_ghash_init_tfm(struct crypto_tfm *tfm) + crypto_shash_set_flags(fallback, + crypto_shash_get_flags((struct crypto_shash + *) tfm)); +- ctx->fallback = fallback; + +- shash_tfm->descsize = sizeof(struct p8_ghash_desc_ctx) +- + crypto_shash_descsize(fallback); ++ /* Check if the descsize defined in the algorithm is still enough. */ ++ if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx) ++ + crypto_shash_descsize(fallback)) { ++ printk(KERN_ERR ++ "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n", ++ alg, ++ shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx), ++ crypto_shash_descsize(fallback)); ++ return -EINVAL; ++ } ++ ctx->fallback = fallback; + + return 0; + } +@@ -113,7 +113,7 @@ static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key, + { + struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm)); + +- if (keylen != GHASH_KEY_LEN) ++ if (keylen != GHASH_BLOCK_SIZE) + return -EINVAL; + + preempt_disable(); +@@ -211,7 +211,8 @@ struct shash_alg p8_ghash_alg = { + .update = p8_ghash_update, + .final = p8_ghash_final, + .setkey = p8_ghash_setkey, +- .descsize = sizeof(struct p8_ghash_desc_ctx), ++ .descsize = sizeof(struct p8_ghash_desc_ctx) ++ + sizeof(struct ghash_desc_ctx), + .base = { + .cra_name = "ghash", + .cra_driver_name = "p8_ghash", +-- +2.7.4 + diff --git a/kernel.spec b/kernel.spec index 0cd41e519..83b208104 100644 --- a/kernel.spec +++ b/kernel.spec @@ -629,6 +629,13 @@ Patch850: arcmsr-buffer-overflow-in-archmsr_iop_message_xfer.patch #rhbz 1366842 Patch851: drm-virtio-reinstate-drm_virtio_set_busid.patch +# Fix memory corruption caused by p8_ghash +Patch852: 0001-crypto-ghash-generic-move-common-definitions-to-a-ne.patch +Patch853: 0001-crypto-vmx-Fix-memory-corruption-caused-by-p8_ghash.patch + +#rhbz 1384606 +Patch854: 0001-Make-__xfs_xattr_put_listen-preperly-report-errors.patch + # END OF PATCH DEFINITIONS %endif @@ -2165,6 +2172,10 @@ fi # # %changelog +* Tue Oct 18 2016 Justin M. Forbes <jforbes@fedoraproject.org> +- Fix memory corruption caused by p8_ghash +- Make __xfs_xattr_put_listen preperly report errors (rhbz 1384606) + * Tue Oct 18 2016 Peter Robinson <pbrobinson@fedoraproject.org> - Disable ACPI_CPPC_CPUFREQ on aarch64 |