From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 4.14 21/59] crypto: authenc - fix parsing key with misaligned rta_len
Date: Mon, 21 Jan 2019 14:43:46 +0100 [thread overview]
Message-ID: <20190121122458.883489466@linuxfoundation.org> (raw)
In-Reply-To: <20190121122456.529172919@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 8f9c469348487844328e162db57112f7d347c49f upstream.
Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
'enckeylen', followed by an authentication key and an encryption key.
crypto_authenc_extractkeys() parses the key to find the inner keys.
However, it fails to consider the case where the rtattr's payload is
longer than 4 bytes but not 4-byte aligned, and where the key ends
before the next 4-byte aligned boundary. In this case, 'keylen -=
RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
causes a buffer overread and crash during crypto_ahash_setkey().
Fix it by restricting the rtattr payload to the expected size.
Reproducer using AF_ALG:
#include <linux/if_alg.h>
#include <linux/rtnetlink.h>
#include <sys/socket.h>
int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "authenc(hmac(sha256),cbc(aes))",
};
struct {
struct rtattr attr;
__be32 enckeylen;
char keys[1];
} __attribute__((packed)) key = {
.attr.rta_len = sizeof(key),
.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
};
fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
}
It caused:
BUG: unable to handle kernel paging request at ffff88007ffdc000
PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
Oops: 0000 [#1] SMP
CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
[...]
Call Trace:
sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
crypto_shash_digest+0x24/0x40 crypto/shash.c:202
hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
shash_async_setkey+0x10/0x20 crypto/shash.c:223
crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
aead_setkey+0xc/0x10 crypto/algif_aead.c:526
alg_setkey crypto/af_alg.c:223 [inline]
alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
__sys_setsockopt+0x6d/0xd0 net/socket.c:1902
__do_sys_setsockopt net/socket.c:1913 [inline]
__se_sys_setsockopt net/socket.c:1910 [inline]
__x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: e236d4a89a2f ("[CRYPTO] authenc: Move enckeylen into key itself")
Cc: <stable@vger.kernel.org> # v2.6.25+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/authenc.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -58,14 +58,22 @@ int crypto_authenc_extractkeys(struct cr
return -EINVAL;
if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
return -EINVAL;
- if (RTA_PAYLOAD(rta) < sizeof(*param))
+
+ /*
+ * RTA_OK() didn't align the rtattr's payload when validating that it
+ * fits in the buffer. Yet, the keys should start on the next 4-byte
+ * aligned boundary. To avoid confusion, require that the rtattr
+ * payload be exactly the param struct, which has a 4-byte aligned size.
+ */
+ if (RTA_PAYLOAD(rta) != sizeof(*param))
return -EINVAL;
+ BUILD_BUG_ON(sizeof(*param) % RTA_ALIGNTO);
param = RTA_DATA(rta);
keys->enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
+ key += rta->rta_len;
+ keylen -= rta->rta_len;
if (keylen < keys->enckeylen)
return -EINVAL;
next prev parent reply other threads:[~2019-01-21 13:52 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 13:43 [PATCH 4.14 00/59] 4.14.95-stable review Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 01/59] tty/ldsem: Wake up readers after timed out down_write() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 02/59] tty: Hold tty_ldisc_lock() during tty_reopen() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 03/59] tty: Simplify tty->count math in tty_reopen() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 04/59] tty: Dont hold ldisc lock in tty_reopen() if ldisc present Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 05/59] can: gw: ensure DLC boundaries after CAN frame modification Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 06/59] mmc: sdhci-msm: Disable CDR function on TX Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 07/59] media: em28xx: Fix misplaced reset of dev->v4l::field_count Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 08/59] sched/fair: Fix bandwidth timer clock drift condition Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 09/59] Revert "scsi: target: iscsi: cxgbit: fix csk leak" Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 10/59] scsi: target: iscsi: cxgbit: fix csk leak Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 11/59] arm64/kvm: consistently handle host HCR_EL2 flags Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 12/59] arm64: Dont trap host pointer auth use to EL2 Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 13/59] ipv6: fix kernel-infoleak in ipv6_local_error() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 14/59] net: bridge: fix a bug on using a neighbour cache entry without checking its state Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 15/59] packet: Do not leak dev refcounts on error exit Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 16/59] bonding: update nest level on unlink Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 17/59] ip: on queued skb use skb_header_pointer instead of pskb_may_pull Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 18/59] crypto: caam - fix zero-length buffer DMA mapping Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 19/59] crypto: authencesn - Avoid twice completion call in decrypt path Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 20/59] crypto: bcm - convert to use crypto_authenc_extractkeys() Greg Kroah-Hartman
2019-01-21 13:43 ` Greg Kroah-Hartman [this message]
2019-01-21 13:43 ` [PATCH 4.14 22/59] Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io" Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 23/59] btrfs: wait on ordered extents on abort cleanup Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 24/59] Yama: Check for pid death before checking ancestry Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 25/59] scsi: core: Synchronize request queue PM status only on successful resume Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 26/59] scsi: sd: Fix cache_type_store() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 27/59] crypto: talitos - reorder code in talitos_edesc_alloc() Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 28/59] crypto: talitos - fix ablkcipher for CONFIG_VMAP_STACK Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 29/59] mips: fix n32 compat_ipc_parse_version Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 30/59] MIPS: lantiq: Fix IPI interrupt handling Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 31/59] OF: properties: add missing of_node_put Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 32/59] mfd: tps6586x: Handle interrupts on suspend Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 33/59] media: v4l: ioctl: Validate num_planes for debug messages Greg Kroah-Hartman
2019-01-21 13:43 ` [PATCH 4.14 34/59] pstore/ram: Avoid allocation and leak of platform data Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 35/59] arm64: kaslr: ensure randomized quantities are clean to the PoC Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 36/59] Disable MSI also when pcie-octeon.pcie_disable on Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 37/59] omap2fb: Fix stack memory disclosure Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 38/59] media: vivid: fix error handling of kthread_run Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 39/59] media: vivid: set min width/height to a value > 0 Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 40/59] bpf: in __bpf_redirect_no_mac pull mac only if present Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 41/59] LSM: Check for NULL cred-security on free Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 42/59] media: vb2: vb2_mmap: move lock up Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 43/59] sunrpc: handle ENOMEM in rpcb_getport_async Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 44/59] netfilter: ebtables: account ebt_table_info to kmemcg Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 45/59] selinux: fix GPF on invalid policy Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 46/59] blockdev: Fix livelocks on loop device Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 47/59] sctp: allocate sctp_sockaddr_entry with kzalloc Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 48/59] tipc: fix uninit-value in tipc_nl_compat_link_reset_stats Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 49/59] tipc: fix uninit-value in tipc_nl_compat_bearer_enable Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 50/59] tipc: fix uninit-value in tipc_nl_compat_link_set Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 51/59] tipc: fix uninit-value in tipc_nl_compat_name_table_dump Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 52/59] tipc: fix uninit-value in tipc_nl_compat_doit Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 53/59] block/loop: Dont grab "struct file" for vfs_getattr() operation Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 54/59] block/loop: Use global lock for ioctl() operation Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 55/59] loop: Fold __loop_release into loop_release Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 56/59] loop: Get rid of loop_index_mutex Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 57/59] loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 58/59] loop: drop caches if offset or block_size are changed Greg Kroah-Hartman
2019-01-21 13:44 ` [PATCH 4.14 59/59] drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock Greg Kroah-Hartman
2019-01-22 3:07 ` [PATCH 4.14 00/59] 4.14.95-stable review Naresh Kamboju
2019-01-22 19:23 ` Guenter Roeck
2019-01-22 22:31 ` shuah
2019-01-23 9:07 ` Jon Hunter
2019-01-23 12:55 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190121122458.883489466@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ebiggers@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).