[PATCH] fix out of bound read in __test_aead()

[PATCH] fix out of bound read in __test_aead()

[Jerome Marchand]

__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
actual length of the initialisation vector can be shorter.
The length of the IV is already calculated earlier in the
function. Let's just reuses that.
This fix an out-of-bound error detected by KASan.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
---
 crypto/testmgr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index ae8c57fd..d3587d5 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -617,7 +617,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
 		j++;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, iv_len);
 		else
 			memset(iv, 0, MAX_IVLEN);
 
-- 
2.5.0

Re: [PATCH] fix out of bound read in __test_aead()

[Herbert Xu]

On Fri, Jan 29, 2016 at 02:10:09PM +0100, Jerome Marchand wrote:
> __test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
> actual length of the initialisation vector can be shorter.
> The length of the IV is already calculated earlier in the
> function. Let's just reuses that.
> This fix an out-of-bound error detected by KASan.
> 
> Signed-off-by: Jerome Marchand <jmarchan@redhat.com>

This patch creates a new warning that iv_len may be uninitialised.

Please fix this and resubmit.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] fix out of bound read in __test_aead()

[Jerome Marchand]

[-- Attachment #1: Type: text/plain, Size: 817 bytes --]

On 02/01/2016 03:26 PM, Herbert Xu wrote:
> On Fri, Jan 29, 2016 at 02:10:09PM +0100, Jerome Marchand wrote:
>> __test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
>> actual length of the initialisation vector can be shorter.
>> The length of the IV is already calculated earlier in the
>> function. Let's just reuses that.
>> This fix an out-of-bound error detected by KASan.
>>
>> Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
> 
> This patch creates a new warning that iv_len may be uninitialised.

I see. iv_len is set for each templates. I don't see why we would like
to call crypto_aead_ivsize() more than once. Moving the initialization
of iv_len out of the loop should solve the warning.

> 
> Please fix this and resubmit.

Will do.

Jerome

> 
> Thanks,
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

[PATCH v2] fix out of bound read in __test_aead()

[Jerome Marchand]

__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
actual length of the initialisation vector can be shorter.
The length of the IV is already calculated earlier in the
function. Let's just reuses that. Also the IV length is currently
calculated several time for no reason. Let's fix that too.
This fix an out-of-bound error detected by KASan.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
---
 crypto/testmgr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index ae8c57fd..6691756 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -488,6 +488,8 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
 	aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
 				  tcrypt_complete, &result);
 
+	iv_len = crypto_aead_ivsize(tfm);
+
 	for (i = 0, j = 0; i < tcount; i++) {
 		if (template[i].np)
 			continue;
@@ -508,7 +510,6 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
 
 		memcpy(input, template[i].input, template[i].ilen);
 		memcpy(assoc, template[i].assoc, template[i].alen);
-		iv_len = crypto_aead_ivsize(tfm);
 		if (template[i].iv)
 			memcpy(iv, template[i].iv, iv_len);
 		else
@@ -617,7 +618,7 @@ static int __test_aead(struct crypto_aead *tfm, int enc,
 		j++;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, iv_len);
 		else
 			memset(iv, 0, MAX_IVLEN);
 
-- 
2.5.0

Re: [PATCH v2] fix out of bound read in __test_aead()

[Herbert Xu]

On Wed, Feb 03, 2016 at 01:58:12PM +0100, Jerome Marchand wrote:
> __test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
> actual length of the initialisation vector can be shorter.
> The length of the IV is already calculated earlier in the
> function. Let's just reuses that. Also the IV length is currently
> calculated several time for no reason. Let's fix that too.
> This fix an out-of-bound error detected by KASan.
> 
> Signed-off-by: Jerome Marchand <jmarchan@redhat.com>

Applied.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt