[PATCH v2 1/5] crypto: dh - Fix double free of ctx->p

[PATCH v2 1/5] crypto: dh - Fix double free of ctx->p

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

When setting the secret with the software Diffie-Hellman implementation,
if allocating 'g' failed (e.g. if it was longer than
MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
once later when the crypto_kpp tfm was destroyed.

Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
paths, as that correctly sets the pointers to NULL.

KASAN report:

    MPI: mpi too large (32760 bits)
    ==================================================================
    BUG: KASAN: use-after-free in mpi_free+0x131/0x170
    Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367

    CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
    Call Trace:
     dump_stack+0xb3/0x10b
     ? mpi_free+0x131/0x170
     print_address_description+0x79/0x2a0
     ? mpi_free+0x131/0x170
     kasan_report+0x236/0x340
     ? akcipher_register_instance+0x90/0x90
     __asan_report_load4_noabort+0x14/0x20
     mpi_free+0x131/0x170
     ? akcipher_register_instance+0x90/0x90
     dh_exit_tfm+0x3d/0x140
     crypto_kpp_exit_tfm+0x52/0x70
     crypto_destroy_tfm+0xb3/0x250
     __keyctl_dh_compute+0x640/0xe90
     ? kasan_slab_free+0x12f/0x180
     ? dh_data_from_key+0x240/0x240
     ? key_create_or_update+0x1ee/0xb20
     ? key_instantiate_and_link+0x440/0x440
     ? lock_contended+0xee0/0xee0
     ? kfree+0xcf/0x210
     ? SyS_add_key+0x268/0x340
     keyctl_dh_compute+0xb3/0xf1
     ? __keyctl_dh_compute+0xe90/0xe90
     ? SyS_add_key+0x26d/0x340
     ? entry_SYSCALL_64_fastpath+0x5/0xbe
     ? trace_hardirqs_on_caller+0x3f4/0x560
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x43ccf9
    RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
    RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
    RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
    RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
    R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
    R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000

    Allocated by task 367:
     save_stack_trace+0x16/0x20
     kasan_kmalloc+0xeb/0x180
     kmem_cache_alloc_trace+0x114/0x300
     mpi_alloc+0x4b/0x230
     mpi_read_raw_data+0xbe/0x360
     dh_set_secret+0x1dc/0x460
     __keyctl_dh_compute+0x623/0xe90
     keyctl_dh_compute+0xb3/0xf1
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe

    Freed by task 367:
     save_stack_trace+0x16/0x20
     kasan_slab_free+0xab/0x180
     kfree+0xb5/0x210
     mpi_free+0xcb/0x170
     dh_set_secret+0x2d7/0x460
     __keyctl_dh_compute+0x623/0xe90
     keyctl_dh_compute+0xb3/0xf1
     SyS_keyctl+0x72/0x2c0
     entry_SYSCALL_64_fastpath+0x1f/0xbe

Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/dh.c | 33 +++++++++++++--------------------
 1 file changed, 13 insertions(+), 20 deletions(-)

diff --git a/crypto/dh.c b/crypto/dh.c
index b1032a5c1bfa..aadaf36fb56f 100644
--- a/crypto/dh.c
+++ b/crypto/dh.c
@@ -21,19 +21,12 @@ struct dh_ctx {
 	MPI xa;
 };
 
-static inline void dh_clear_params(struct dh_ctx *ctx)
+static void dh_clear_ctx(struct dh_ctx *ctx)
 {
 	mpi_free(ctx->p);
 	mpi_free(ctx->g);
-	ctx->p = NULL;
-	ctx->g = NULL;
-}
-
-static void dh_free_ctx(struct dh_ctx *ctx)
-{
-	dh_clear_params(ctx);
 	mpi_free(ctx->xa);
-	ctx->xa = NULL;
+	memset(ctx, 0, sizeof(*ctx));
 }
 
 /*
@@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
 		return -EINVAL;
 
 	ctx->g = mpi_read_raw_data(params->g, params->g_size);
-	if (!ctx->g) {
-		mpi_free(ctx->p);
+	if (!ctx->g)
 		return -EINVAL;
-	}
 
 	return 0;
 }
@@ -86,21 +77,23 @@ static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
 	struct dh params;
 
 	/* Free the old MPI key if any */
-	dh_free_ctx(ctx);
+	dh_clear_ctx(ctx);
 
 	if (crypto_dh_decode_key(buf, len, &params) < 0)
-		return -EINVAL;
+		goto err_clear_ctx;
 
 	if (dh_set_params(ctx, &params) < 0)
-		return -EINVAL;
+		goto err_clear_ctx;
 
 	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
-	if (!ctx->xa) {
-		dh_clear_params(ctx);
-		return -EINVAL;
-	}
+	if (!ctx->xa)
+		goto err_clear_ctx;
 
 	return 0;
+
+err_clear_ctx:
+	dh_clear_ctx(ctx);
+	return -EINVAL;
 }
 
 static int dh_compute_value(struct kpp_request *req)
@@ -158,7 +151,7 @@ static void dh_exit_tfm(struct crypto_kpp *tfm)
 {
 	struct dh_ctx *ctx = dh_get_ctx(tfm);
 
-	dh_free_ctx(ctx);
+	dh_clear_ctx(ctx);
 }
 
 static struct kpp_alg dh = {
-- 
2.15.0

[PATCH v2 2/5] crypto: dh - Don't permit 'p' to be 0

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

If 'p' is 0 for the software Diffie-Hellman implementation, then
dh_max_size() returns 0.  In the case of KEYCTL_DH_COMPUTE, this causes
ZERO_SIZE_PTR to be passed to sg_init_one(), which with
CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
sg_set_buf().

Fix this by making crypto_dh_decode_key() reject 0 for 'p'.  p=0 makes
no sense for any DH implementation because 'p' is supposed to be a prime
number.  Moreover, 'mod 0' is not mathematically defined.

Bug report:

    kernel BUG at ./include/linux/scatterlist.h:140!
    invalid opcode: 0000 [#1] SMP KASAN
    CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
    task: ffff88006caac0c0 task.stack: ffff88006c7c8000
    RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
    RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
    RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216
    RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee
    RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0
    RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30
    R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30
    R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50
    FS:  00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0
    Call Trace:
     __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
     keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
     SYSC_keyctl security/keys/keyctl.c:1745 [inline]
     SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
     entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x4585c9
    RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa
    RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9
    RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017
    RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde
    R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000
    Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
    RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08
    RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08

Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
Cc: <stable@vger.kernel.org> # v4.8+
Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/dh_helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
index 8ba8a3f82620..708ae20d2d3c 100644
--- a/crypto/dh_helper.c
+++ b/crypto/dh_helper.c
@@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params)
 	params->p = (void *)(ptr + params->key_size);
 	params->g = (void *)(ptr + params->key_size + params->p_size);
 
+	/*
+	 * Don't permit 'p' to be 0.  It's not a prime number, and it's subject
+	 * to corner cases such as 'mod 0' being undefined or
+	 * crypto_kpp_maxsize() returning 0.
+	 */
+	if (memchr_inv(params->p, 0, params->p_size) == NULL)
+		return -EINVAL;
+
 	return 0;
 }
 EXPORT_SYMBOL_GPL(crypto_dh_decode_key);
-- 
2.15.0

[PATCH v2 3/5] crypto: dh - Don't permit 'key' or 'g' size longer than 'p'

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
into a buffer with size 'p_size'.  However it was never checked that
that was actually the case, which most likely allowed users to cause a
buffer underflow via KEYCTL_DH_COMPUTE.

Fix this by updating crypto_dh_decode_key() to verify this precondition
for all DH implementations.

Fixes: c9839143ebbf ("crypto: qat - Add DH support")
Cc: <stable@vger.kernel.org> # v4.8+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/dh_helper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
index 708ae20d2d3c..7f00c771fe8d 100644
--- a/crypto/dh_helper.c
+++ b/crypto/dh_helper.c
@@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params)
 	if (secret.len != crypto_dh_key_len(params))
 		return -EINVAL;
 
+	/*
+	 * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since
+	 * some drivers assume otherwise.
+	 */
+	if (params->key_size > params->p_size ||
+	    params->g_size > params->p_size)
+		return -EINVAL;
+
 	/* Don't allocate memory. Set pointers to data within
 	 * the given buffer
 	 */
-- 
2.15.0

Re: [PATCH v2 1/5] crypto: dh - Fix double free of ctx->p

[Tudor Ambarus]

On 11/06/2017 04:30 AM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> When setting the secret with the software Diffie-Hellman implementation,
> if allocating 'g' failed (e.g. if it was longer than
> MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
> once later when the crypto_kpp tfm was destroyed.
> 
> Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
> paths, as that correctly sets the pointers to NULL.
> 
> KASAN report:
> 
>      MPI: mpi too large (32760 bits)
>      ==================================================================
>      BUG: KASAN: use-after-free in mpi_free+0x131/0x170
>      Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
> 
>      CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
>      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>      Call Trace:
>       dump_stack+0xb3/0x10b
>       ? mpi_free+0x131/0x170
>       print_address_description+0x79/0x2a0
>       ? mpi_free+0x131/0x170
>       kasan_report+0x236/0x340
>       ? akcipher_register_instance+0x90/0x90
>       __asan_report_load4_noabort+0x14/0x20
>       mpi_free+0x131/0x170
>       ? akcipher_register_instance+0x90/0x90
>       dh_exit_tfm+0x3d/0x140
>       crypto_kpp_exit_tfm+0x52/0x70
>       crypto_destroy_tfm+0xb3/0x250
>       __keyctl_dh_compute+0x640/0xe90
>       ? kasan_slab_free+0x12f/0x180
>       ? dh_data_from_key+0x240/0x240
>       ? key_create_or_update+0x1ee/0xb20
>       ? key_instantiate_and_link+0x440/0x440
>       ? lock_contended+0xee0/0xee0
>       ? kfree+0xcf/0x210
>       ? SyS_add_key+0x268/0x340
>       keyctl_dh_compute+0xb3/0xf1
>       ? __keyctl_dh_compute+0xe90/0xe90
>       ? SyS_add_key+0x26d/0x340
>       ? entry_SYSCALL_64_fastpath+0x5/0xbe
>       ? trace_hardirqs_on_caller+0x3f4/0x560
>       SyS_keyctl+0x72/0x2c0
>       entry_SYSCALL_64_fastpath+0x1f/0xbe
>      RIP: 0033:0x43ccf9
>      RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
>      RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
>      RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
>      RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
>      R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
>      R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
> 
>      Allocated by task 367:
>       save_stack_trace+0x16/0x20
>       kasan_kmalloc+0xeb/0x180
>       kmem_cache_alloc_trace+0x114/0x300
>       mpi_alloc+0x4b/0x230
>       mpi_read_raw_data+0xbe/0x360
>       dh_set_secret+0x1dc/0x460
>       __keyctl_dh_compute+0x623/0xe90
>       keyctl_dh_compute+0xb3/0xf1
>       SyS_keyctl+0x72/0x2c0
>       entry_SYSCALL_64_fastpath+0x1f/0xbe
> 
>      Freed by task 367:
>       save_stack_trace+0x16/0x20
>       kasan_slab_free+0xab/0x180
>       kfree+0xb5/0x210
>       mpi_free+0xcb/0x170
>       dh_set_secret+0x2d7/0x460
>       __keyctl_dh_compute+0x623/0xe90
>       keyctl_dh_compute+0xb3/0xf1
>       SyS_keyctl+0x72/0x2c0
>       entry_SYSCALL_64_fastpath+0x1f/0xbe
> 
> Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
> Cc: <stable@vger.kernel.org> # v4.8+
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>

> ---
>   crypto/dh.c | 33 +++++++++++++--------------------
>   1 file changed, 13 insertions(+), 20 deletions(-)
> 
> diff --git a/crypto/dh.c b/crypto/dh.c
> index b1032a5c1bfa..aadaf36fb56f 100644
> --- a/crypto/dh.c
> +++ b/crypto/dh.c
> @@ -21,19 +21,12 @@ struct dh_ctx {
>   	MPI xa;
>   };
>   
> -static inline void dh_clear_params(struct dh_ctx *ctx)
> +static void dh_clear_ctx(struct dh_ctx *ctx)
>   {
>   	mpi_free(ctx->p);
>   	mpi_free(ctx->g);
> -	ctx->p = NULL;
> -	ctx->g = NULL;
> -}
> -
> -static void dh_free_ctx(struct dh_ctx *ctx)
> -{
> -	dh_clear_params(ctx);
>   	mpi_free(ctx->xa);
> -	ctx->xa = NULL;
> +	memset(ctx, 0, sizeof(*ctx));
>   }
>   
>   /*
> @@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx *ctx, struct dh *params)
>   		return -EINVAL;
>   
>   	ctx->g = mpi_read_raw_data(params->g, params->g_size);
> -	if (!ctx->g) {
> -		mpi_free(ctx->p);
> +	if (!ctx->g)
>   		return -EINVAL;
> -	}
>   
>   	return 0;
>   }
> @@ -86,21 +77,23 @@ static int dh_set_secret(struct crypto_kpp *tfm, const void *buf,
>   	struct dh params;
>   
>   	/* Free the old MPI key if any */
> -	dh_free_ctx(ctx);
> +	dh_clear_ctx(ctx);
>   
>   	if (crypto_dh_decode_key(buf, len, &params) < 0)
> -		return -EINVAL;
> +		goto err_clear_ctx;
>   
>   	if (dh_set_params(ctx, &params) < 0)
> -		return -EINVAL;
> +		goto err_clear_ctx;
>   
>   	ctx->xa = mpi_read_raw_data(params.key, params.key_size);
> -	if (!ctx->xa) {
> -		dh_clear_params(ctx);
> -		return -EINVAL;
> -	}
> +	if (!ctx->xa)
> +		goto err_clear_ctx;
>   
>   	return 0;
> +
> +err_clear_ctx:
> +	dh_clear_ctx(ctx);
> +	return -EINVAL;
>   }
>   
>   static int dh_compute_value(struct kpp_request *req)
> @@ -158,7 +151,7 @@ static void dh_exit_tfm(struct crypto_kpp *tfm)
>   {
>   	struct dh_ctx *ctx = dh_get_ctx(tfm);
>   
> -	dh_free_ctx(ctx);
> +	dh_clear_ctx(ctx);
>   }
>   
>   static struct kpp_alg dh = {
> 

Re: [PATCH v2 3/5] crypto: dh - Don't permit 'key' or 'g' size longer than 'p'

[Tudor Ambarus]

On 11/06/2017 04:30 AM, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
> into a buffer with size 'p_size'.  However it was never checked that
> that was actually the case, which most likely allowed users to cause a
> buffer underflow via KEYCTL_DH_COMPUTE.
> 
> Fix this by updating crypto_dh_decode_key() to verify this precondition
> for all DH implementations.
> 
> Fixes: c9839143ebbf ("crypto: qat - Add DH support")
> Cc: <stable@vger.kernel.org> # v4.8+

Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>

> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>   crypto/dh_helper.c | 8 ++++++++
>   1 file changed, 8 insertions(+)
> 
> diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
> index 708ae20d2d3c..7f00c771fe8d 100644
> --- a/crypto/dh_helper.c
> +++ b/crypto/dh_helper.c
> @@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params)
>   	if (secret.len != crypto_dh_key_len(params))
>   		return -EINVAL;
>   
> +	/*
> +	 * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since
> +	 * some drivers assume otherwise.
> +	 */
> +	if (params->key_size > params->p_size ||
> +	    params->g_size > params->p_size)
> +		return -EINVAL;
> +
>   	/* Don't allocate memory. Set pointers to data within
>   	 * the given buffer
>   	 */
>