Merge tag 'ASB-2021-02-05_4.19-stable' of https://android.googlesource.com/kernel/common

https://source.android.com/security/bulletin/2021-02-01 CVE-2017-18509 CVE-2020-10767 * tag 'ASB-2021-02-05_4.19-stable': (809 commits) ANDROID: GKI: fix up abi issues with 4.19.172 Linux 4.19.172 fs: fix lazytime expiration handling in __writeback_single_inode() writeback: Drop I_DIRTY_TIME_EXPIRE dm integrity: conditionally disable "recalculate" feature tools: Factor HOSTCC, HOSTLD, HOSTAR definitions tracing: Fix race in trace_open and buffer resize call HID: wacom: Correct NULL dereference on AES pen proximity futex: Handle faults correctly for PI futexes futex: Simplify fixup_pi_state_owner() futex: Use pi_state_update_owner() in put_pi_state() rtmutex: Remove unused argument from rt_mutex_proxy_unlock() futex: Provide and use pi_state_update_owner() futex: Replace pointless printk in fixup_owner() futex: Ensure the correct return value from futex_lock_pi() futex: Prevent exit livelock futex: Provide distinct return value when owner is exiting futex: Add mutex around futex exit futex: Provide state handling for exec() as well futex: Sanitize exit state handling ... Change-Id: Ieba6ee3a91a05d504e1f829a84e7d364e7d983f2 Conflicts: arch/arm64/boot/dts/rockchip/rk3328.dtsi drivers/md/Kconfig drivers/usb/gadget/function/f_uac2.c
2021-02-26 15:30:04 +08:00
parent ab9fb85b0b c9b5531f57
commit b50aca0c9a
711 changed files with 52339 additions and 13855 deletions
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@ -151,7 +151,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 	const u32 allowed = CRYPTO_ALG_KERN_DRIVER_ONLY;
 	struct sock *sk = sock->sk;
 	struct alg_sock *ask = alg_sk(sk);
-	struct sockaddr_alg *sa = (void *)uaddr;
+	struct sockaddr_alg_new *sa = (void *)uaddr;
 	const struct af_alg_type *type;
 	void *private;
 	int err;
@ -159,7 +159,11 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 	if (sock->state == SS_CONNECTED)
 		return -EINVAL;

-	if (addr_len < sizeof(*sa))
+	BUILD_BUG_ON(offsetof(struct sockaddr_alg_new, salg_name) !=
+		     offsetof(struct sockaddr_alg, salg_name));
+	BUILD_BUG_ON(offsetof(struct sockaddr_alg, salg_name) != sizeof(*sa));
+
+	if (addr_len < sizeof(*sa) + 1)
 		return -EINVAL;

 	/* If caller uses non-allowed flag, return error. */
@ -167,7 +171,7 @@ static int alg_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 		return -EINVAL;

 	sa->salg_type[sizeof(sa->salg_type) - 1] = 0;
-	sa->salg_name[sizeof(sa->salg_name) + addr_len - sizeof(*sa) - 1] = 0;
+	sa->salg_name[addr_len - sizeof(*sa) - 1] = 0;

 	type = alg_get_type(sa->salg_type);
 	if (IS_ERR(type) && PTR_ERR(type) == -ENOENT) {
--- a/crypto/ecdh.c
+++ b/crypto/ecdh.c
@ -43,7 +43,8 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
 	struct ecdh params;
 	unsigned int ndigits;

-	if (crypto_ecdh_decode_key(buf, len, &params) < 0)
+	if (crypto_ecdh_decode_key(buf, len, &params) < 0 ||
+	    params.key_size > sizeof(ctx->private_key))
 		return -EINVAL;

 	ndigits = ecdh_supported_curve(params.curve_id);
@ -57,12 +58,13 @@ static int ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
 		return ecc_gen_privkey(ctx->curve_id, ctx->ndigits,
 				       ctx->private_key);

-	if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
-			     (const u64 *)params.key, params.key_size) < 0)
-		return -EINVAL;
-
 	memcpy(ctx->private_key, params.key, params.key_size);

+	if (ecc_is_key_valid(ctx->curve_id, ctx->ndigits,
+			     ctx->private_key, params.key_size) < 0) {
+		memzero_explicit(ctx->private_key, params.key_size);
+		return -EINVAL;
+	}
 	return 0;
 }