From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Jussi Kivilinna <jussi.kivilinna@mbnet.fi>,
Horia Geanta <horia.geanta@freescale.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 3.10 08/52] crypto: ccm - Fix handling of zero plaintext when computing mac
Date: Tue, 10 Dec 2013 00:00:41 -0800 [thread overview]
Message-ID: <20131210075954.795532731@linuxfoundation.org> (raw)
In-Reply-To: <20131210075954.196229872@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Horia Geanta <horia.geanta@freescale.com>
commit 5638cabf3e4883f38dfb246c30980cebf694fbda upstream.
There are cases when cryptlen can be zero in crypto_ccm_auth():
-encryptiom: input scatterlist length is zero (no plaintext)
-decryption: input scatterlist contains only the mac
plus the condition of having different source and destination buffers
(or else scatterlist length = max(plaintext_len, ciphertext_len)).
These are not handled correctly, leading to crashes like:
root@p4080ds:~/crypto# insmod tcrypt.ko mode=45
------------[ cut here ]------------
kernel BUG at crypto/scatterwalk.c:37!
Oops: Exception in kernel mode, sig: 5 [#1]
SMP NR_CPUS=8 P4080 DS
Modules linked in: tcrypt(+) crc32c xts xcbc vmac pcbc ecb gcm ghash_generic gf128mul ccm ctr seqiv
CPU: 3 PID: 1082 Comm: cryptomgr_test Not tainted 3.11.0 #14
task: ee12c5b0 ti: eecd0000 task.ti: eecd0000
NIP: c0204d98 LR: f9225848 CTR: c0204d80
REGS: eecd1b70 TRAP: 0700 Not tainted (3.11.0)
MSR: 00029002 <CE,EE,ME> CR: 22044022 XER: 20000000
GPR00: f9225c94 eecd1c20 ee12c5b0 eecd1c28 ee879400 ee879400 00000000 ee607464
GPR08: 00000001 00000001 00000000 006b0000 c0204d80 00000000 00000002 c0698e20
GPR16: ee987000 ee895000 fffffff4 ee879500 00000100 eecd1d58 00000001 00000000
GPR24: ee879400 00000020 00000000 00000000 ee5b2800 ee607430 00000004 ee607460
NIP [c0204d98] scatterwalk_start+0x18/0x30
LR [f9225848] get_data_to_compute+0x28/0x2f0 [ccm]
Call Trace:
[eecd1c20] [f9225974] get_data_to_compute+0x154/0x2f0 [ccm] (unreliable)
[eecd1c70] [f9225c94] crypto_ccm_auth+0x184/0x1d0 [ccm]
[eecd1cb0] [f9225d40] crypto_ccm_encrypt+0x60/0x2d0 [ccm]
[eecd1cf0] [c020d77c] __test_aead+0x3ec/0xe20
[eecd1e20] [c020f35c] test_aead+0x6c/0xe0
[eecd1e40] [c020f420] alg_test_aead+0x50/0xd0
[eecd1e60] [c020e5e4] alg_test+0x114/0x2e0
[eecd1ee0] [c020bd1c] cryptomgr_test+0x4c/0x60
[eecd1ef0] [c0047058] kthread+0xa8/0xb0
[eecd1f40] [c000eb0c] ret_from_kernel_thread+0x5c/0x64
Instruction dump:
0f080000 81290024 552807fe 0f080000 5529003a 4bffffb4 90830000 39400000
39000001 8124000c 2f890000 7d28579e <0f090000> 81240008 91230004 4e800020
---[ end trace 6d652dfcd1be37bd ]---
Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: Horia Geanta <horia.geanta@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/ccm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/crypto/ccm.c
+++ b/crypto/ccm.c
@@ -271,7 +271,8 @@ static int crypto_ccm_auth(struct aead_r
}
/* compute plaintext into mac */
- get_data_to_compute(cipher, pctx, plain, cryptlen);
+ if (cryptlen)
+ get_data_to_compute(cipher, pctx, plain, cryptlen);
out:
return err;
next prev parent reply other threads:[~2013-12-10 8:26 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 8:00 [PATCH 3.10 00/52] 3.10.24-stable review Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 01/52] ALSA: hda - Fix silent output on ASUS W7J laptop Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 02/52] ALSA: hda - Another fixup for ASUS laptop with ALC660 codec Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 03/52] ALSA: hda - Fix headset mic input after muted internal mic (Dell/Realtek) Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 04/52] ALSA: hda - Fix silent output on MacBook Air 2,1 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 05/52] ALSA: hda - Add mono speaker quirk for Dell Inspiron 5439 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 06/52] crypto: s390 - Fix aes-xts parameter corruption Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 07/52] crypto: scatterwalk - Set the chain pointer indication bit Greg Kroah-Hartman
2013-12-10 8:00 ` Greg Kroah-Hartman [this message]
2013-12-10 8:00 ` [PATCH 3.10 09/52] crypto: authenc - Find proper IV address in ablkcipher callback Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 10/52] ARM: fix booting low-vectors machines Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 11/52] ARM: footbridge: fix VGA initialisation Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 12/52] ARM: footbridge: fix EBSA285 LEDs Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 13/52] ARM: at91: sama5d3: reduce TWI internal clock frequency Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 14/52] ARM: mvebu: use the virtual CPU registers to access coherency registers Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 15/52] ASoC: wm8990: Mark the register map as dirty when powering down Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 16/52] ASoC: wm8731: fix dsp mode configuration Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 17/52] vfs: fix subtle use-after-free of pipe_inode_info Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 18/52] can: sja1000: fix {pre,post}_irq() handling and IRQ handler return value Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 19/52] can: c_can: dont call pm_runtime_get_sync() from interrupt context Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 20/52] SCSI: bfa: Fix crash when symb name set for offline vport Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 21/52] SCSI: enclosure: fix WARN_ON in dual path device removing Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 22/52] SCSI: libsas: fix usage of ata_tf_to_fis Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 23/52] SCSI: hpsa: do not discard scsi status on aborted commands Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 24/52] SCSI: hpsa: return 0 from driver probe function on success, not 1 Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 25/52] net: smc91: fix crash regression on the versatile Greg Kroah-Hartman
2013-12-10 8:00 ` [PATCH 3.10 26/52] NFSv4: Update list of irrecoverable errors on DELEGRETURN Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 27/52] time: Fix 1ns/tick drift w/ GENERIC_TIME_VSYSCALL_OLD Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 28/52] powerpc/gpio: Fix the wrong GPIO input data on MPC8572/MPC8536 Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 29/52] parisc: fix mmap(MAP_FIXED|MAP_SHARED) to already mmapped address Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 30/52] xen/gnttab: leave lazy MMU mode in the case of a m2p override failure Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 31/52] Update of blkg_stat and blkg_rwstat may happen in bh context. While u64_stats_fetch_retry is only preempt_disable on 32bit UP system. This is not enough to avoid preemption by bh and may read strange 64 bit value Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 32/52] irq: Enable all irqs unconditionally in irq_resume Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 33/52] net: update consumers of MSG_MORE to recognize MSG_SENDPAGE_NOTLAST Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 34/52] x86-64, build: Always pass in -mno-sse Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 35/52] SCSI: Disable WRITE SAME for RAID and virtual host adapter drivers Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 36/52] iwlwifi: dvm: dont override mac80211s queue setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 37/52] tg3: avoid double-freeing of rx data memory Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 38/52] HID: usbhid: quirk for Synaptics Large Touchccreen Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 39/52] HID: usbhid: quirk for SiS Touchscreen Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 40/52] lib/genalloc.c: fix overflow of ending address of memory chunk Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 41/52] Input: allow deselecting serio drivers even without CONFIG_EXPERT Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 42/52] Input: mousedev - allow disabling " Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 43/52] mei: me: add Lynx Point Wellsburg work station device id Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 44/52] mei: add 9 series PCH mei device ids Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 45/52] USB: pl2303: fixed handling of CS5 setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 46/52] USB: ftdi_sio: fixed handling of unsupported CSIZE setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 47/52] USB: mos7840: correct handling of CS5 setting Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 48/52] USB: spcp8x5: " Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 49/52] USB: cdc-acm: Added support for the Lenovo RD02-D400 USB Modem Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 50/52] drivers/char/i8k.c: add Dell XPLS L421X Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 51/52] ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260 Greg Kroah-Hartman
2013-12-10 8:01 ` [PATCH 3.10 52/52] ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable Greg Kroah-Hartman
2013-12-10 17:03 ` [PATCH 3.10 00/52] 3.10.24-stable review Guenter Roeck
2013-12-11 1:17 ` Greg Kroah-Hartman
2013-12-11 1:50 ` Shuah Khan
2013-12-11 21:22 ` Satoru Takeuchi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131210075954.795532731@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@freescale.com \
--cc=jussi.kivilinna@mbnet.fi \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.