From: Jia Jie Ho jiajie.ho@starfivetech.com
[ Upstream commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c ]
RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+ Signed-off-by: Jia Jie Ho jiajie.ho@starfivetech.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Bin Lan bin.lan.cn@windriver.com --- drivers/crypto/starfive/jh7110-rsa.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/crypto/starfive/jh7110-rsa.c b/drivers/crypto/starfive/jh7110-rsa.c index 1db9a3d02848..3116828d60a0 100644 --- a/drivers/crypto/starfive/jh7110-rsa.c +++ b/drivers/crypto/starfive/jh7110-rsa.c @@ -303,7 +303,6 @@ static int starfive_rsa_enc_core(struct starfive_cryp_ctx *ctx, int enc)
err_rsa_crypt: writel(STARFIVE_RSA_RESET, cryp->base + STARFIVE_PKA_CACR_OFFSET); - kfree(rctx->rsa_data); return ret; }
On Tue, Dec 03, 2024 at 02:52:13PM +0800, bin.lan.cn@eng.windriver.com wrote:
From: Jia Jie Ho jiajie.ho@starfivetech.com
[ Upstream commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c ]
RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+
The cc: says 6.7 and newer, and yet you are wanting this for 6.6.y? Why? Why ignore what the author asked for?
thanks,
greg k-h
On 12/3/2024 4:23 PM, Greg KH wrote:
CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Tue, Dec 03, 2024 at 02:52:13PM +0800, bin.lan.cn@eng.windriver.com wrote:
From: Jia Jie Ho jiajie.ho@starfivetech.com
[ Upstream commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c ]
RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+
The cc: says 6.7 and newer, and yet you are wanting this for 6.6.y? Why? Why ignore what the author asked for?
thanks,
greg k-h
I want to backport it to fix CVE-2024-39478.
Bin Lan
On Tue, Dec 03, 2024 at 04:34:25PM +0800, Bin Lan wrote:
On 12/3/2024 4:23 PM, Greg KH wrote:
CAUTION: This email comes from a non Wind River email account! Do not click links or open attachments unless you recognize the sender and know the content is safe.
On Tue, Dec 03, 2024 at 02:52:13PM +0800, bin.lan.cn@eng.windriver.com wrote:
From: Jia Jie Ho jiajie.ho@starfivetech.com
[ Upstream commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c ]
RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+
The cc: says 6.7 and newer, and yet you are wanting this for 6.6.y? Why? Why ignore what the author asked for?
thanks,
greg k-h
I want to backport it to fix CVE-2024-39478.
Again, how do you know that that CVE is relevant for kernels older than 6.7.y? Have you tested this? Have you proved that 6.6.y needs this? If not, there's no way we can take it, nor would you want us to take it, right?
thanks,
greg k-h
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: d7f01649f4eaf1878472d3d3f480ae1e50d98f6c
WARNING: Author mismatch between patch and upstream commit: Backport author: bin.lan.cn@eng.windriver.com Commit author: Jia Jie Ho jiajie.ho@starfivetech.com
Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.11.y | Present (exact SHA1) 6.6.y | Not found
Note: The patch differs from the upstream commit: --- 1: d7f01649f4eaf ! 1: f914a30081e60 crypto: starfive - Do not free stack buffer @@ Metadata ## Commit message ## crypto: starfive - Do not free stack buffer
+ [ Upstream commit d7f01649f4eaf1878472d3d3f480ae1e50d98f6c ] + RSA text data uses variable length buffer allocated in software stack. Calling kfree on it causes undefined behaviour in subsequent operations.
Cc: stable@vger.kernel.org #6.7+ Signed-off-by: Jia Jie Ho jiajie.ho@starfivetech.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au + Signed-off-by: Bin Lan bin.lan.cn@windriver.com
## drivers/crypto/starfive/jh7110-rsa.c ## @@ drivers/crypto/starfive/jh7110-rsa.c: static int starfive_rsa_enc_core(struct starfive_cryp_ctx *ctx, int enc) ---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.6.y | Success | Failed |
Build Errors: Build error for stable/linux-6.6.y:
linux-stable-mirror@lists.linaro.org
-
Bin Lan -
bin.lan.cn@eng.windriver.com -
Greg KH -
Sasha Levin