* [PATCH] crypto: skcipher - set walk.iv for zero-length inputs
@ 2017-11-29 9:18 Eric Biggers
2017-12-11 11:45 ` Herbert Xu
0 siblings, 1 reply; 2+ messages in thread
From: Eric Biggers @ 2017-11-29 9:18 UTC (permalink / raw)
To: linux-crypto, Herbert Xu
Cc: David S . Miller, linux-kernel, Eric Biggers, stable
From: Eric Biggers <ebiggers@google.com>
All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
before checking whether any bytes need to be processed (walk.nbytes).
But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
and the algorithms crash trying to use the uninitialized IV pointer.
Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it
for the AEAD walk functions.
This isn't a perfect solution because we can't actually align the IV to
->cra_alignmask unless there are bytes to process, for one because the
temporary buffer for the aligned IV is freed by skcipher_walk_done(),
which is only called when there are bytes to process. Thus, algorithms
that require aligned IVs will still need to avoid accessing the IV when
walk.nbytes == 0. Still, many algorithms/architectures are fine with
IVs having any alignment, and even for those that aren't, a misaligned
pointer bug is much less severe than an uninitialized pointer bug.
This change also matches the behavior of the older blkcipher_walk API.
Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
crypto/skcipher.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index 778e0ff42bfa..11af5fd6a443 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -449,6 +449,8 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk,
walk->total = req->cryptlen;
walk->nbytes = 0;
+ walk->iv = req->iv;
+ walk->oiv = req->iv;
if (unlikely(!walk->total))
return 0;
@@ -456,9 +458,6 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk,
scatterwalk_start(&walk->in, req->src);
scatterwalk_start(&walk->out, req->dst);
- walk->iv = req->iv;
- walk->oiv = req->iv;
-
walk->flags &= ~SKCIPHER_WALK_SLEEP;
walk->flags |= req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP ?
SKCIPHER_WALK_SLEEP : 0;
@@ -510,6 +509,8 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk,
int err;
walk->nbytes = 0;
+ walk->iv = req->iv;
+ walk->oiv = req->iv;
if (unlikely(!walk->total))
return 0;
@@ -525,9 +526,6 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk,
scatterwalk_done(&walk->in, 0, walk->total);
scatterwalk_done(&walk->out, 0, walk->total);
- walk->iv = req->iv;
- walk->oiv = req->iv;
-
if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP)
walk->flags |= SKCIPHER_WALK_SLEEP;
else
--
2.15.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] crypto: skcipher - set walk.iv for zero-length inputs
2017-11-29 9:18 [PATCH] crypto: skcipher - set walk.iv for zero-length inputs Eric Biggers
@ 2017-12-11 11:45 ` Herbert Xu
0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2017-12-11 11:45 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, David S . Miller, linux-kernel, Eric Biggers, stable
On Wed, Nov 29, 2017 at 01:18:57AM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> All the ChaCha20 algorithms as well as the ARM bit-sliced AES-XTS
> algorithms call skcipher_walk_virt(), then access the IV (walk.iv)
> before checking whether any bytes need to be processed (walk.nbytes).
>
> But if the input is empty, then skcipher_walk_virt() doesn't set the IV,
> and the algorithms crash trying to use the uninitialized IV pointer.
>
> Fix it by setting the IV earlier in skcipher_walk_virt(). Also fix it
> for the AEAD walk functions.
>
> This isn't a perfect solution because we can't actually align the IV to
> ->cra_alignmask unless there are bytes to process, for one because the
> temporary buffer for the aligned IV is freed by skcipher_walk_done(),
> which is only called when there are bytes to process. Thus, algorithms
> that require aligned IVs will still need to avoid accessing the IV when
> walk.nbytes == 0. Still, many algorithms/architectures are fine with
> IVs having any alignment, and even for those that aren't, a misaligned
> pointer bug is much less severe than an uninitialized pointer bug.
>
> This change also matches the behavior of the older blkcipher_walk API.
>
> Fixes: 0cabf2af6f5a ("crypto: skcipher - Fix crash on zero-length input")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Cc: <stable@vger.kernel.org> # v4.14+
> Signed-off-by: Eric Biggers <ebiggers@google.com>
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-12-11 11:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-29 9:18 [PATCH] crypto: skcipher - set walk.iv for zero-length inputs Eric Biggers
2017-12-11 11:45 ` Herbert Xu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.