From: Eric Biggers <ebiggers3@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Andy Lutomirski <luto@amacapital.net>,
Andy Lutomirski <luto@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
Stephan Mueller <smueller@chronox.de>
Subject: Re: [PATCH v2] keys/encrypted: Fix two crypto-on-the-stack bugs
Date: Wed, 14 Dec 2016 00:10:24 -0800 [thread overview]
Message-ID: <20161214081024.GA22765@zzz> (raw)
In-Reply-To: <20161214050404.GC9592@gondor.apana.org.au>
On Wed, Dec 14, 2016 at 01:04:04PM +0800, Herbert Xu wrote:
> On Tue, Dec 13, 2016 at 06:53:03PM -0800, Andy Lutomirski wrote:
> > On Tue, Dec 13, 2016 at 6:48 PM, Andy Lutomirski <luto@kernel.org> wrote:
> > > The driver put a constant buffer of all zeros on the stack and
> > > pointed a scatterlist entry at it in two places. This doesn't work
> > > with virtual stacks. Use ZERO_PAGE instead.
> >
> > Wait a second...
> >
> > > - sg_set_buf(&sg_out[1], pad, sizeof pad);
> > > + sg_set_buf(&sg_out[1], empty_zero_page, 16);
> >
> > My fix here is obviously bogus (I meant to use ZERO_PAGE(0)), but what
> > exactly is the code trying to do? The old code makes no sense. It's
> > setting the *output* buffer to zeroed padding.
>
> It's decrypting so I presume it just needs to the extra space for
> the padding and the result will be thrown away.
>
It looks like the data is zero-padded to a 16-byte AES block boundary before
being encrypted with CBC, so the encrypted data may be longer than the original
data. (I don't know why it doesn't use CTS mode instead, which would make the
lengths the same.)
Since the crypto API can do in-place operations, when *encrypting* I suggest
copying the decrypted data to the output buffer, padding it with 0's, and
encrypting it in-place. This eliminates the need for the stack buffer.
But when *decrypting* there will be up to 15 extra throwaway bytes of output
produced by the decryption. There must be space made for these, and since it's
output it can't be empty_zero_page. I guess either check whether space can be
made for it in-place, or allocate a temporary buffer...
Eric
next prev parent reply other threads:[~2016-12-14 8:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-14 2:48 [PATCH v2] keys/encrypted: Fix two crypto-on-the-stack bugs Andy Lutomirski
2016-12-14 2:53 ` Andy Lutomirski
2016-12-14 5:04 ` Herbert Xu
2016-12-14 8:10 ` Eric Biggers [this message]
2016-12-14 8:37 ` David Howells
2016-12-14 16:22 ` Andy Lutomirski
2016-12-14 17:00 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161214081024.GA22765@zzz \
--to=ebiggers3@gmail.com \
--cc=dhowells@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox