From fbb726302a9ae06b373e04a54ad30eafa288dd10 Mon Sep 17 00:00:00 2001 From: Pan Bian Date: Tue, 13 Dec 2016 09:26:18 +0000 Subject: crypto: asymmetric_keys - set error code on failure In function public_key_verify_signature(), returns variable ret on error paths. When the call to kmalloc() fails, the value of ret is 0, and it is not set to an errno before returning. This patch fixes the bug. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188891 Signed-off-by: Pan Bian Signed-off-by: David Howells Signed-off-by: Herbert Xu --- crypto/asymmetric_keys/public_key.c | 1 + 1 file changed, 1 insertion(+) (limited to 'crypto') diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index fd76b5fc3b3a..d3a989e718f5 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -121,6 +121,7 @@ int public_key_verify_signature(const struct public_key *pkey, if (ret) goto error_free_req; + ret = -ENOMEM; outlen = crypto_akcipher_maxsize(tfm); output = kmalloc(outlen, GFP_KERNEL); if (!output) -- cgit v1.2.3 From 18e615ad87bce9125ef3990377a4a946ec0f21f3 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 13 Dec 2016 13:34:02 +0000 Subject: crypto: skcipher - fix crash in virtual walk The new skcipher walk API may crash in the following way. (Interestingly, the tcrypt boot time tests seem unaffected, while an explicit test using the module triggers it) Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [] __memcpy+0x84/0x180 [] skcipher_walk_done+0x328/0x340 [] ctr_encrypt+0x84/0x100 [] simd_skcipher_encrypt+0x88/0x98 [] crypto_rfc3686_crypt+0x8c/0x98 [] test_skcipher_speed+0x518/0x820 [tcrypt] [] do_test+0x1408/0x3b70 [tcrypt] [] tcrypt_mod_init+0x50/0x1000 [tcrypt] [] do_one_initcall+0x44/0x138 [] do_init_module+0x68/0x1e0 [] load_module+0x1fd0/0x2458 [] SyS_finit_module+0xe0/0xf0 [] el0_svc_naked+0x24/0x28 This is due to the fact that skcipher_done_slow() may be entered with walk->buffer unset. Since skcipher_walk_done() already deals with the case where walk->buffer == walk->page, it appears to be the intention that walk->buffer point to walk->page after skcipher_next_slow(), so ensure that is the case. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu --- crypto/skcipher.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'crypto') diff --git a/crypto/skcipher.c b/crypto/skcipher.c index aca07c643d41..0e1e6c35188e 100644 --- a/crypto/skcipher.c +++ b/crypto/skcipher.c @@ -226,7 +226,9 @@ static int skcipher_next_slow(struct skcipher_walk *walk, unsigned int bsize) void *v; if (!phys) { - buffer = walk->buffer ?: walk->page; + if (!walk->buffer) + walk->buffer = walk->page; + buffer = walk->buffer; if (buffer) goto ok; } -- cgit v1.2.3