Stable Archive on lore.kernel.org
 help / color / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.19 030/105] crypto: arm/aes-neonbs - dont access already-freed walk.iv
Date: Mon, 20 May 2019 14:13:36 +0200
Message-ID: <20190520115249.126168343@linuxfoundation.org> (raw)
In-Reply-To: <20190520115247.060821231@linuxfoundation.org>

From: Eric Biggers <ebiggers@google.com>

commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream.

If the user-provided IV needs to be aligned to the algorithm's
alignmask, then skcipher_walk_virt() copies the IV into a new aligned
buffer walk.iv.  But skcipher_walk_virt() can fail afterwards, and then
if the caller unconditionally accesses walk.iv, it's a use-after-free.

arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
affected by this despite unconditionally accessing walk.iv.  However
this is more subtle than desired, and it was actually broken prior to
the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes -
replace bit-sliced OpenSSL NEON code").  Thus, update xts-aes-neonbs to
start checking the return value of skcipher_walk_virt().

Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
Cc: <stable@vger.kernel.org> # v3.13+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/crypto/aes-neonbs-glue.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/arm/crypto/aes-neonbs-glue.c
+++ b/arch/arm/crypto/aes-neonbs-glue.c
@@ -278,6 +278,8 @@ static int __xts_crypt(struct skcipher_r
 	int err;
 
 	err = skcipher_walk_virt(&walk, req, true);
+	if (err)
+		return err;
 
 	crypto_cipher_encrypt_one(ctx->tweak_tfm, walk.iv, walk.iv);
 



  parent reply index

Thread overview: 131+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-20 12:13 [PATCH 4.19 000/105] 4.19.45-stable review Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 001/105] locking/rwsem: Prevent decrement of reader count before increment Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 002/105] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 003/105] x86/speculation/mds: Improve CPU buffer clear documentation Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 004/105] objtool: Fix function fallthrough detection Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 005/105] arm64: dts: rockchip: Disable DCMDs on RK3399s eMMC controller Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 006/105] ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260 Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 007/105] ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3 Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 008/105] mmc: sdhci-of-arasan: Add DTS property to disable DCMDs Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 009/105] ARM: exynos: Fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 010/105] power: supply: axp288_charger: Fix unchecked return value Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 011/105] power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 012/105] arm64: mmap: Ensure file offset is treated as unsigned Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 013/105] arm64: arch_timer: Ensure counter register reads occur with seqlock held Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 014/105] arm64: compat: Reduce address limit Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 015/105] arm64: Clear OSDLR_EL1 on CPU boot Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 016/105] arm64: Save and restore OSDLR_EL1 across suspend/resume Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 017/105] sched/x86: Save [ER]FLAGS on context switch Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 018/105] crypto: crypto4xx - fix ctr-aes missing output IV Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 019/105] crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 020/105] crypto: salsa20 - dont access already-freed walk.iv Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 021/105] crypto: chacha20poly1305 - set cra_name correctly Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 022/105] crypto: ccp - Do not free psp_master when PLATFORM_INIT fails Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 023/105] crypto: vmx - fix copy-paste error in CTR mode Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 024/105] crypto: skcipher - dont WARN on unprocessed data after slow walk step Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 025/105] crypto: crct10dif-generic - fix use via crypto_shash_digest() Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 026/105] crypto: x86/crct10dif-pcl " Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 027/105] crypto: arm64/gcm-aes-ce - fix no-NEON fallback code Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 028/105] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 029/105] crypto: rockchip - update IV buffer to contain the next IV Greg Kroah-Hartman
2019-05-20 12:13 ` Greg Kroah-Hartman [this message]
2019-05-20 12:13 ` [PATCH 4.19 031/105] crypto: arm64/aes-neonbs - dont access already-freed walk.iv Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 032/105] mmc: core: Fix tag set memory leak Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 033/105] ALSA: line6: toneport: Fix broken usage of timer for delayed execution Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 034/105] ALSA: usb-audio: Fix a memory leak bug Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 035/105] ALSA: hda/hdmi - Read the pin sense from register when repolling Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 036/105] ALSA: hda/hdmi - Consider eld_valid when reporting jack event Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 037/105] ALSA: hda/realtek - EAPD turn on later Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 038/105] ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14) Greg Kroah-Hartman
2019-05-22  9:15   ` Pavel Machek
2019-05-22 10:22     ` Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 039/105] ASoC: max98090: Fix restore of DAPM Muxes Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 040/105] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 041/105] ASoC: fsl_esai: Fix missing break in switch statement Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 042/105] ASoC: codec: hdac_hdmi add device_link to card device Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 043/105] bpf, arm64: remove prefetch insn in xadd mapping Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 044/105] crypto: ccree - remove special handling of chained sg Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 045/105] crypto: ccree - fix mem leak on error path Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 046/105] crypto: ccree - dont map MAC key on stack Greg Kroah-Hartman
2019-05-22  8:49   ` Pavel Machek
2019-05-20 12:13 ` [PATCH 4.19 047/105] crypto: ccree - use correct internal state sizes for export Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 048/105] crypto: ccree - dont map AEAD key and IV on stack Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 049/105] crypto: ccree - pm resume first enable the source clk Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 050/105] crypto: ccree - HOST_POWER_DOWN_EN should be the last CC access during suspend Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 051/105] crypto: ccree - add function to handle cryptocell tee fips error Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 052/105] crypto: ccree - handle tee fips error during power management resume Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 4.19 053/105] mm/mincore.c: make mincore() more conservative Greg Kroah-Hartman
2019-05-22  8:57   ` Pavel Machek
2019-05-22  9:21     ` Michal Hocko
2019-05-23  9:18       ` Kevin Easton
2019-05-20 12:14 ` [PATCH 4.19 054/105] mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 055/105] mm/hugetlb.c: dont put_page in lock of hugetlb_lock Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 056/105] hugetlb: use same fault hash key for shared and private mappings Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 057/105] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 058/105] userfaultfd: use RCU to free the task struct when fork fails Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 059/105] ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 060/105] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 061/105] mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 062/105] mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 063/105] tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0 Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 064/105] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 065/105] jbd2: check superblock mapped prior to committing Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 066/105] ext4: make sanity check in mballoc more strict Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 067/105] ext4: protect journal inodes blocks using block_validity Greg Kroah-Hartman
2019-05-22  9:18   ` Pavel Machek
2019-05-22 10:21     ` Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 068/105] ext4: ignore e_value_offs for xattrs with value-in-ea-inode Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 069/105] ext4: avoid drop reference to iloc.bh twice Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 070/105] ext4: fix use-after-free race with debug_want_extra_isize Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 071/105] ext4: actually request zeroing of inode table after grow Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 072/105] ext4: fix ext4_show_options for file systems w/o journal Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 073/105] btrfs: Check the first key and level for cached extent buffer Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 074/105] btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages fails Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 075/105] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 076/105] Btrfs: send, flush dellaloc in order to avoid data loss Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 077/105] Btrfs: do not start a transaction during fiemap Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 078/105] Btrfs: do not start a transaction at iterate_extent_inodes() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 079/105] bcache: fix a race between cache register and cacheset unregister Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 080/105] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 081/105] ipmi:ssif: compare block number correctly for multi-part return messages Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 082/105] crypto: ccm - fix incompatibility between "ccm" and "ccm_base" Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 083/105] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 084/105] tty: Dont force RISCV SBI console as preferred console Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 085/105] ext4: zero out the unused memory region in the extent tree block Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 086/105] ext4: fix data corruption caused by overlapping unaligned and aligned IO Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 087/105] ext4: fix use-after-free in dx_release() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 088/105] ext4: avoid panic during forced reboot due to aborted journal Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 089/105] ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 090/105] ALSA: hda/realtek - Fixup headphone noise via runtime suspend Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 091/105] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 092/105] jbd2: fix potential double free Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 093/105] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes Greg Kroah-Hartman
2019-05-22 11:20   ` Pavel Machek
2019-05-20 12:14 ` [PATCH 4.19 094/105] KVM: lapic: Busy wait for timer to expire when using hv_timer Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 095/105] kbuild: turn auto.conf.cmd into a mandatory include file Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 096/105] xen/pvh: set xen_domain_type to HVM in xen_pvh_init Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 097/105] libnvdimm/namespace: Fix label tracking error Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 098/105] iov_iter: optimize page_copy_sane() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 099/105] pstore: Centralize init/exit routines Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 100/105] pstore: Allocate compression during late_initcall() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 101/105] pstore: Refactor compression initialization Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 102/105] ext4: unsigned int compared against zero Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 103/105] ext4: fix block validity checks for journal inodes using indirect blocks Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 104/105] ext4: fix compile error when using BUFFER_TRACE Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 4.19 105/105] ext4: dont update s_rev_level if not required Greg Kroah-Hartman
2019-05-20 17:48 ` [PATCH 4.19 000/105] 4.19.45-stable review kernelci.org bot
2019-05-20 22:23 ` Dan Rue
2019-05-21  8:59   ` Greg Kroah-Hartman
2019-05-21  9:28     ` Naresh Kamboju
2019-05-21  9:38       ` ext4 regression (was Re: [PATCH 4.19 000/105] 4.19.45-stable review) Greg Kroah-Hartman
2019-05-21 10:28         ` Naresh Kamboju
2019-05-21 16:21           ` Theodore Ts'o
2019-05-21 16:30             ` Greg Kroah-Hartman
2019-05-21 16:44               ` Greg Kroah-Hartman
2019-05-21 17:57             ` Naresh Kamboju
2019-05-22  5:05               ` Theodore Ts'o
2019-05-22 10:20                 ` Naresh Kamboju
2019-05-21 15:02         ` Dan Rue
2019-05-21  8:51 ` [PATCH 4.19 000/105] 4.19.45-stable review Jon Hunter
2019-05-21 21:31 ` shuah
2019-05-22  5:04 ` Naresh Kamboju

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190520115249.126168343@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ebiggers@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Stable Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://lore.kernel.org/stable \
		stable@vger.kernel.org stable@archiver.kernel.org
	public-inbox-index stable


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.stable


AGPL code for this site: git clone https://public-inbox.org/ public-inbox