From: Stephan Mueller <smueller@chronox.de>
To: George Rurikov <g.ryurikov@securitycode.ru>,
Herbert Xu <herbert@gondor.apana.org.au>
Cc: MrRurikov <grurikovsherbakov@yandex.ru>,
"David S . Miller" <davem@davemloft.net>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org, stable@vger.kernel.org
Subject: Re: [PATCH] crypto: Fix logical operator in _aead_recvmsg()
Date: Mon, 16 Sep 2024 09:14:13 -0500 [thread overview]
Message-ID: <1749031.NF6adcYWfa@tauon.atsec.com> (raw)
In-Reply-To: <ZufuoJC8sFi9ETqZ@gondor.apana.org.au>
Am Montag, 16. September 2024, 03:38:56 GMT-5 schrieb Herbert Xu:
Hi George,
> On Mon, Sep 16, 2024 at 10:44:22AM +0300, George Rurikov wrote:
> > From: MrRurikov <grurikovsherbakov@yandex.ru>
> >
> > After having been compared to a NULL value at algif_aead.c:191, pointer
> > 'tsgl_src' is passed as 2nd parameter in call to function
> > 'crypto_aead_copy_sgl' at algif_aead.c:244, where it is dereferenced at
> > algif_aead.c:85.
> >
> > Change logical operator from && to || because pointer 'tsgl_src' is NULL,
> > then 'proccessed' will still be non-null
> >
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> >
> > Cc: stable@vger.kernel.org
> > Fixes: 2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
> > Signed-off-by: MrRurikov <grurikovsherbakov@yandex.ru>
> > ---
> >
> > crypto/algif_aead.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Cc Stephan.
I am not sure that this is a valid finding. An issue exists when there is
processed != 0 and TSGL is NULL. Otherwise, the subsequent copy operation for
this part will simply copy nothing: even if TSGL is NULL, the processed value
is 0 and this is uses as the length parameter in the copy operation.
Technically any copy operation is prevented in the following code that is
invoked by the used crypto_null cipher:
static int skcipher_walk_skcipher(struct skcipher_walk *walk,
struct skcipher_request *req)
{
...
/* here we have the value of processed */
walk->total = req->cryptlen;
...
/* here we stop processing */
if (unlikely(!walk->total))
return 0;
/* here we dereference the TSGL */
scatterwalk_start(&walk->in, req->src);
You see, the processing stops before the dereferencing.
In any case, the check as it currently is, allows the use of, say, you request
a tag from just the key without any AAD or input data. Mathematically this is
a valid operation.
Thus, as of now I do not see (a) a technical issue and (b) a mathematical
issue.
Could you please help me understand the issue you think you are seeing?
Ciao
Stephan
prev parent reply other threads:[~2024-09-16 14:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-16 7:44 [PATCH] crypto: Fix logical operator in _aead_recvmsg() George Rurikov
2024-09-16 8:33 ` Greg KH
2024-09-16 8:38 ` Herbert Xu
2024-09-16 14:14 ` Stephan Mueller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1749031.NF6adcYWfa@tauon.atsec.com \
--to=smueller@chronox.de \
--cc=davem@davemloft.net \
--cc=g.ryurikov@securitycode.ru \
--cc=grurikovsherbakov@yandex.ru \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox