Patch "lib/mpi: use kcalloc in mpi_resize" has been added to the 5.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 12 Sep 2021 22:59:15 -0400

This is a note to let you know that I've just added the patch titled

    lib/mpi: use kcalloc in mpi_resize

to the 5.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     lib-mpi-use-kcalloc-in-mpi_resize.patch
and it can be found in the queue-5.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9608f57a9980eb1ec63c17f3192f2a812c28a47d
Author: Hongbo Li <herberthbli@xxxxxxxxxxx>
Date:   Thu Aug 5 16:53:32 2021 +0800

    lib/mpi: use kcalloc in mpi_resize
    
    [ Upstream commit b6f756726e4dfe75be1883f6a0202dcecdc801ab ]
    
    We should set the additional space to 0 in mpi_resize().
    So use kcalloc() instead of kmalloc_array().
    
    In lib/mpi/ec.c:
    /****************
     * Resize the array of A to NLIMBS. the additional space is cleared
     * (set to 0) [done by m_realloc()]
     */
    int mpi_resize(MPI a, unsigned nlimbs)
    
    Like the comment of kernel's mpi_resize() said, the additional space
    need to be set to 0, but when a->d is not NULL, it does not set.
    
    The kernel's mpi lib is from libgcrypt, the mpi resize in libgcrypt
    is _gcry_mpi_resize() which set the additional space to 0.
    
    This bug may cause mpi api which use mpi_resize() get wrong result
    under the condition of using the additional space without initiation.
    If this condition is not met, the bug would not be triggered.
    Currently in kernel, rsa, sm2 and dh use mpi lib, and they works well,
    so the bug is not triggered in these cases.
    
    add_points_edwards() use the additional space directly, so it will
    get a wrong result.
    
    Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
    Signed-off-by: Hongbo Li <herberthbli@xxxxxxxxxxx>
    Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/lib/mpi/mpiutil.c b/lib/mpi/mpiutil.c
index 9a75ca3f7edf..bc81419f400c 100644
--- a/lib/mpi/mpiutil.c
+++ b/lib/mpi/mpiutil.c
@@ -148,7 +148,7 @@ int mpi_resize(MPI a, unsigned nlimbs)
 		return 0;	/* no need to do it */
 
 	if (a->d) {
-		p = kmalloc_array(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
+		p = kcalloc(nlimbs, sizeof(mpi_limb_t), GFP_KERNEL);
 		if (!p)
 			return -ENOMEM;
 		memcpy(p, a->d, a->alloced * sizeof(mpi_limb_t));






