From fbb726302a9ae06b373e04a54ad30eafa288dd10 Mon Sep 17 00:00:00 2001 From: Pan Bian Date: Tue, 13 Dec 2016 09:26:18 +0000 Subject: crypto: asymmetric_keys - set error code on failure In function public_key_verify_signature(), returns variable ret on error paths. When the call to kmalloc() fails, the value of ret is 0, and it is not set to an errno before returning. This patch fixes the bug. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188891 Signed-off-by: Pan Bian Signed-off-by: David Howells Signed-off-by: Herbert Xu --- crypto/asymmetric_keys/public_key.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c index fd76b5fc3b3a..d3a989e718f5 100644 --- a/crypto/asymmetric_keys/public_key.c +++ b/crypto/asymmetric_keys/public_key.c @@ -121,6 +121,7 @@ int public_key_verify_signature(const struct public_key *pkey, if (ret) goto error_free_req; + ret = -ENOMEM; outlen = crypto_akcipher_maxsize(tfm); output = kmalloc(outlen, GFP_KERNEL); if (!output) -- cgit From efcae7c931b473285e38c778bdaa9f36de9f78d6 Mon Sep 17 00:00:00 2001 From: Alex Yashchenko Date: Tue, 13 Dec 2016 09:26:25 +0000 Subject: sign-file: Fix inplace signing when src and dst names are both specified When src and dst both are specified and they point to the same file the sign-file utility will write only signature to the dst file and the module (.ko file) body will not be written. That happens because we open the same file with "rb" and "wb" flags, from fopen man: w Truncate file to zero length or create text file for writing. The stream is positioned at the beginning of the file. ... bm = BIO_new_file(module_name, "rb"); ... bd = BIO_new_file(dest_name, "wb"); ... while ((n = BIO_read(bm, buf, sizeof(buf))), n > 0) { ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name); } ... Signed-off-by: Alex Yashchenko Signed-off-by: David Howells Signed-off-by: Herbert Xu --- scripts/sign-file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/sign-file.c b/scripts/sign-file.c index 53af6dc3e6c1..19ec468b1168 100755 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -267,7 +267,7 @@ int main(int argc, char **argv) } x509_name = argv[2]; module_name = argv[3]; - if (argc == 5) { + if (argc == 5 && strcmp(argv[3], argv[4]) != 0) { dest_name = argv[4]; replace_orig = false; } else { -- cgit From 18e615ad87bce9125ef3990377a4a946ec0f21f3 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Tue, 13 Dec 2016 13:34:02 +0000 Subject: crypto: skcipher - fix crash in virtual walk The new skcipher walk API may crash in the following way. (Interestingly, the tcrypt boot time tests seem unaffected, while an explicit test using the module triggers it) Unable to handle kernel NULL pointer dereference at virtual address 00000000 ... [] __memcpy+0x84/0x180 [] skcipher_walk_done+0x328/0x340 [] ctr_encrypt+0x84/0x100 [] simd_skcipher_encrypt+0x88/0x98 [] crypto_rfc3686_crypt+0x8c/0x98 [] test_skcipher_speed+0x518/0x820 [tcrypt] [] do_test+0x1408/0x3b70 [tcrypt] [] tcrypt_mod_init+0x50/0x1000 [tcrypt] [] do_one_initcall+0x44/0x138 [] do_init_module+0x68/0x1e0 [] load_module+0x1fd0/0x2458 [] SyS_finit_module+0xe0/0xf0 [] el0_svc_naked+0x24/0x28 This is due to the fact that skcipher_done_slow() may be entered with walk->buffer unset. Since skcipher_walk_done() already deals with the case where walk->buffer == walk->page, it appears to be the intention that walk->buffer point to walk->page after skcipher_next_slow(), so ensure that is the case. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu --- crypto/skcipher.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/skcipher.c b/crypto/skcipher.c index aca07c643d41..0e1e6c35188e 100644 --- a/crypto/skcipher.c +++ b/crypto/skcipher.c @@ -226,7 +226,9 @@ static int skcipher_next_slow(struct skcipher_walk *walk, unsigned int bsize) void *v; if (!phys) { - buffer = walk->buffer ?: walk->page; + if (!walk->buffer) + walk->buffer = walk->page; + buffer = walk->buffer; if (buffer) goto ok; } -- cgit