1. 20 Dec, 2017 6 commits
    • Alan Stern's avatar
      USB: core: prevent malicious bNumInterfaces overflow · dfdf5fa3
      Alan Stern authored
      commit 48a4ff1c upstream.
      
      A malicious USB device with crafted descriptors can cause the kernel
      to access unallocated memory by setting the bNumInterfaces value too
      high in a configuration descriptor.  Although the value is adjusted
      during parsing, this adjustment is skipped in one of the error return
      paths.
      
      This patch prevents the problem by setting bNumInterfaces to 0
      initially.  The existing code already sets it to the proper value
      after parsing is complete.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dfdf5fa3
    • David Kozub's avatar
      USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID · 05de6fa5
      David Kozub authored
      commit 62354454 upstream.
      
      There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
      with the following error:
      
      [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [sda] tag#0 Sense Key : Illegal Request [current]
      [sda] tag#0 Add. Sense: Invalid field in cdb
      
      The issue occurs both with UAS (occasionally) and mass storage
      (immediately after mounting a FS on a disk in the enclosure).
      
      Enabling US_FL_BROKEN_FUA quirk solves this issue.
      
      This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
      for both UAS and mass storage.
      Signed-off-by: default avatarDavid Kozub <zub@linux.fjfi.cvut.cz>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05de6fa5
    • Changbin Du's avatar
      tracing: Allocate mask_str buffer dynamically · a34419b3
      Changbin Du authored
      commit 90e406f9 upstream.
      
      The default NR_CPUS can be very large, but actual possible nr_cpu_ids
      usually is very small. For my x86 distribution, the NR_CPUS is 8192 and
      nr_cpu_ids is 4. About 2 pages are wasted.
      
      Most machines don't have so many CPUs, so define a array with NR_CPUS
      just wastes memory. So let's allocate the buffer dynamically when need.
      
      With this change, the mutext tracing_cpumask_update_lock also can be
      removed now, which was used to protect mask_str.
      
      Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com
      
      Fixes: 36dfe925 ("ftrace: make use of tracing_cpumask")
      Signed-off-by: default avatarChangbin Du <changbin.du@intel.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a34419b3
    • NeilBrown's avatar
      autofs: fix careless error in recent commit · c60db4f6
      NeilBrown authored
      commit 302ec300 upstream.
      
      Commit ecc0c469 ("autofs: don't fail mount for transient error") was
      meant to replace an 'if' with a 'switch', but instead added the 'switch'
      leaving the case in place.
      
      Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name
      Fixes: ecc0c469 ("autofs: don't fail mount for transient error")
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Cc: Ian Kent <raven@themaw.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c60db4f6
    • Eric Biggers's avatar
      crypto: salsa20 - fix blkcipher_walk API usage · 8a311b04
      Eric Biggers authored
      commit ecaaab56 upstream.
      
      When asked to encrypt or decrypt 0 bytes, both the generic and x86
      implementations of Salsa20 crash in blkcipher_walk_done(), either when
      doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
      because walk->buffer and walk->page have not been initialized.
      
      The bug is that Salsa20 is calling blkcipher_walk_done() even when
      nothing is in 'walk.nbytes'.  But blkcipher_walk_done() is only meant to
      be called when a nonzero number of bytes have been provided.
      
      The broken code is part of an optimization that tries to make only one
      call to salsa20_encrypt_bytes() to process inputs that are not evenly
      divisible by 64 bytes.  To fix the bug, just remove this "optimization"
      and use the blkcipher_walk API the same way all the other users do.
      
      Reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int algfd, reqfd;
                  struct sockaddr_alg addr = {
                          .salg_type = "skcipher",
                          .salg_name = "salsa20",
                  };
                  char key[16] = { 0 };
      
                  algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(algfd, (void *)&addr, sizeof(addr));
                  reqfd = accept(algfd, 0, 0);
                  setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
                  read(reqfd, key, sizeof(key));
          }
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Fixes: eb6f13eb ("[CRYPTO] salsa20_generic: Fix multi-page processing")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a311b04
    • Eric Biggers's avatar
      crypto: hmac - require that the underlying hash algorithm is unkeyed · 43cd7f38
      Eric Biggers authored
      commit af3ff804 upstream.
      
      Because the HMAC template didn't check that its underlying hash
      algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
      through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
      being used without having been keyed, resulting in sha3_update() being
      called without sha3_init(), causing a stack buffer overflow.
      
      This is a very old bug, but it seems to have only started causing real
      problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
      because the innermost hash's state is ->import()ed from a zeroed buffer,
      and it just so happens that other hash algorithms are fine with that,
      but SHA-3 is not.  However, there could be arch or hardware-dependent
      hash algorithms also affected; I couldn't test everything.
      
      Fix the bug by introducing a function crypto_shash_alg_has_setkey()
      which tests whether a shash algorithm is keyed.  Then update the HMAC
      template to require that its underlying hash algorithm is unkeyed.
      
      Here is a reproducer:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
      
          int main()
          {
              int algfd;
              struct sockaddr_alg addr = {
                  .salg_type = "hash",
                  .salg_name = "hmac(hmac(sha3-512-generic))",
              };
              char key[4096] = { 0 };
      
              algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
              bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
              setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
          }
      
      Here was the KASAN report from syzbot:
      
          BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341  [inline]
          BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0  crypto/sha3_generic.c:161
          Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
      
          CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
          Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  Google 01/01/2011
          Call Trace:
            __dump_stack lib/dump_stack.c:17 [inline]
            dump_stack+0x194/0x257 lib/dump_stack.c:53
            print_address_description+0x73/0x250 mm/kasan/report.c:252
            kasan_report_error mm/kasan/report.c:351 [inline]
            kasan_report+0x25b/0x340 mm/kasan/report.c:409
            check_memory_region_inline mm/kasan/kasan.c:260 [inline]
            check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
            memcpy+0x37/0x50 mm/kasan/kasan.c:303
            memcpy include/linux/string.h:341 [inline]
            sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
            crypto_shash_update+0xcb/0x220 crypto/shash.c:109
            shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
            crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
            hmac_finup+0x182/0x330 crypto/hmac.c:152
            crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
            shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
            crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
            hmac_setkey+0x36a/0x690 crypto/hmac.c:66
            crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
            shash_async_setkey+0x47/0x60 crypto/shash.c:207
            crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
            hash_setkey+0x40/0x90 crypto/algif_hash.c:446
            alg_setkey crypto/af_alg.c:221 [inline]
            alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
            SYSC_setsockopt net/socket.c:1851 [inline]
            SyS_setsockopt+0x189/0x360 net/socket.c:1830
            entry_SYSCALL_64_fastpath+0x1f/0x96
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43cd7f38
  2. 16 Dec, 2017 34 commits