From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
Eric Biggers <ebiggers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.4 04/22] crypto: chacha20poly1305 - validate the digest size
Date: Mon, 8 Jan 2018 13:59:31 +0100 [thread overview]
Message-ID: <20180108125925.794369696@linuxfoundation.org> (raw)
In-Reply-To: <20180108125925.601688333@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit e57121d08c38dabec15cf3e1e2ad46721af30cae upstream.
If the rfc7539 template was instantiated with a hash algorithm with
digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
subsequent memory, including 'cryptlen'. This caused a crash during
crypto_skcipher_decrypt().
Fix it by, when instantiating the template, requiring that the
underlying hash algorithm has the digest size expected for Poly1305.
Reproducer:
#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int algfd, reqfd;
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "rfc7539(chacha20,sha256)",
};
unsigned char buf[32] = { 0 };
algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
reqfd = accept(algfd, 0, 0);
write(reqfd, buf, 16);
read(reqfd, buf, 16);
}
Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/chacha20poly1305.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/crypto/chacha20poly1305.c
+++ b/crypto/chacha20poly1305.c
@@ -600,6 +600,11 @@ static int chachapoly_create(struct cryp
CRYPTO_ALG_TYPE_AHASH_MASK);
if (IS_ERR(poly))
return PTR_ERR(poly);
+ poly_hash = __crypto_hash_alg_common(poly);
+
+ err = -EINVAL;
+ if (poly_hash->digestsize != POLY1305_DIGEST_SIZE)
+ goto out_put_poly;
err = -ENOMEM;
inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
@@ -608,7 +613,6 @@ static int chachapoly_create(struct cryp
ctx = aead_instance_ctx(inst);
ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize;
- poly_hash = __crypto_hash_alg_common(poly);
err = crypto_init_ahash_spawn(&ctx->poly, poly_hash,
aead_crypto_instance(inst));
if (err)
next prev parent reply other threads:[~2018-01-08 13:04 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 12:59 [PATCH 4.4 00/22] 4.4.111-stable review Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 01/22] x86/kasan: Write protect kasan zero shadow Greg Kroah-Hartman
2018-01-08 12:59 ` Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 02/22] kernel/acct.c: fix the acct->needcheck check in check_free_space() Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 03/22] crypto: n2 - cure use after free Greg Kroah-Hartman
2018-01-08 12:59 ` Greg Kroah-Hartman [this message]
2018-01-08 12:59 ` [PATCH 4.4 05/22] crypto: pcrypt - fix freeing pcrypt instances Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 06/22] sunxi-rsb: Include OF based modalias in device uevent Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 07/22] fscache: Fix the default for fscache_maybe_release_page() Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 08/22] kernel: make groups_sort calling a responsibility group_info allocators Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 09/22] kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 10/22] kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 11/22] kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 12/22] ARC: uaccess: dont use "l" gcc inline asm constraint modifier Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 13/22] Input: elantech - add new icbody type 15 Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 14/22] x86/microcode/AMD: Add support for fam17h microcode loading Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 15/22] parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 16/22] mtd: nand: pxa3xx: Fix READOOB implementation Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 17/22] x86/tlb: Drop the _GPL from the cpu_tlbstate export Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 18/22] genksyms: Handle string literals with spaces in reference files Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 19/22] module: keep percpu symbols in modules symtab Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 20/22] module: Issue warnings when tainting kernel Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 21/22] proc: much faster /proc/vmstat Greg Kroah-Hartman
2018-01-08 12:59 ` [PATCH 4.4 22/22] Map the vsyscall page with _PAGE_USER Greg Kroah-Hartman
2018-01-08 14:25 ` [PATCH 4.4 00/22] 4.4.111-stable review Nathan Chancellor
2018-01-08 14:25 ` Nathan Chancellor
2018-01-08 16:32 ` Greg Kroah-Hartman
2018-01-08 15:21 ` 王金浦
2018-01-08 16:32 ` Greg Kroah-Hartman
2018-01-08 17:29 ` Christoph Biedl
2018-01-08 17:44 ` Borislav Petkov
2018-01-08 17:47 ` kernelci.org bot
2018-01-08 21:00 ` Shuah Khan
2018-01-08 23:29 ` Guenter Roeck
2018-01-09 9:13 ` Greg Kroah-Hartman
2018-01-09 9:23 ` Greg Kroah-Hartman
2018-01-09 13:50 ` Guenter Roeck
2018-01-09 9:51 ` Naresh Kamboju
2018-01-09 10:50 ` Greg Kroah-Hartman
2018-01-09 16:16 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180108125925.794369696@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.