From: Eric Biggers <ebiggers@kernel.org>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: linux-crypto@vger.kernel.org
Subject: Re: potential underfow in crypto/lrw.c setkey() setkey
Date: Thu, 9 May 2019 21:03:16 -0700 [thread overview]
Message-ID: <20190510040315.GA737@sol.localdomain> (raw)
In-Reply-To: <20190509110622.GA15580@mwanda>
On Thu, May 09, 2019 at 02:06:22PM +0300, Dan Carpenter wrote:
> crypto/lrw.c
> 72 static int setkey(struct crypto_skcipher *parent, const u8 *key,
> 73 unsigned int keylen)
> 74 {
> 75 struct priv *ctx = crypto_skcipher_ctx(parent);
> 76 struct crypto_skcipher *child = ctx->child;
> 77 int err, bsize = LRW_BLOCK_SIZE;
> 78 const u8 *tweak = key + keylen - bsize;
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Smatch thinks that keylen is user controlled from zero to some upper
> bound. How do we know it's >= LRW_BLOCK_SIZE (16)?
See create() in crypto/lrw.c, which is the function that creates an LRW
instance. It sets .min_keysize and .max_keysize:
inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg) +
LRW_BLOCK_SIZE;
inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg) +
LRW_BLOCK_SIZE;
Then when sometime calls crypto_skcipher_setkey(), it calls skcipher_setkey() in
crypto/skcipher.c which verifies the key length is in within the bounds the
algorithm declares:
if (keylen < cipher->min_keysize || keylen > cipher->max_keysize) {
crypto_skcipher_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN);
return -EINVAL;
}
>
> I find the crypto code sort of hard to follow... There are a bunch of
> setkey pointers and they're sometimes called recursively. Is there
> some trick or hints?
>
> 79 be128 tmp = { 0 };
> 80 int i;
> 81
> 82 crypto_skcipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
> 83 crypto_skcipher_set_flags(child, crypto_skcipher_get_flags(parent) &
> 84 CRYPTO_TFM_REQ_MASK);
> 85 err = crypto_skcipher_setkey(child, key, keylen - bsize);
> 86 crypto_skcipher_set_flags(parent, crypto_skcipher_get_flags(child) &
> 87 CRYPTO_TFM_RES_MASK);
> 88 if (err)
> 89 return err;
LRW is a template for a block cipher mode of operation which is implemented on
top of ECB. So, LRW's setkey() method calls setkey() on the underlying ECB
transform. Similarly, ECB then may call setkey() of the underlying block cipher
such as AES, or alternatively it may be implemented directly.
- Eric
prev parent reply other threads:[~2019-05-10 4:03 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-09 11:06 potential underfow in crypto/lrw.c setkey() setkey Dan Carpenter
2019-05-10 4:03 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190510040315.GA737@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).