All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH v2] crypto: AES-NI - fix memory usage in GCM decryption
@ 2015-03-12  8:17 Stephan Mueller
  2015-03-13 10:33 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Stephan Mueller @ 2015-03-12  8:17 UTC (permalink / raw)
  To: 'Herbert Xu, tadeusz.struk; +Cc: linux-crypto, 'LKML'

The kernel crypto API logic requires the caller to provide the
length of (ciphertext || authentication tag) as cryptlen for the
AEAD decryption operation. Thus, the cipher implementation must
calculate the size of the plaintext output itself and cannot simply use
cryptlen.

The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
in req->dst. As the destination buffer for decryption only needs to hold
the plaintext memory but cryptlen references the input buffer holding
(ciphertext || authentication tag), the assumption of the destination
buffer length in RFC4106 GCM operation leads to a too large size. This
patch simply uses the already calculated plaintext size.

In addition, this patch fixes the offset calculation of the AAD buffer
pointer: as mentioned before, cryptlen already includes the size of the
tag. Thus, the tag does not need to be added. With the addition, the AAD
will be written beyond the already allocated buffer.

Note, this fixes a kernel crash that can be triggered from user space
via AF_ALG(aead) -- simply use the libkcapi test application
from [1] and update it to use rfc4106-gcm-aes.

Using [1], the changes were tested using CAVS vectors to demonstrate
that the crypto operation still delivers the right results.

[1] http://www.chronox.de/libkcapi.html

CC: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
---
 arch/x86/crypto/aesni-intel_glue.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
index 6893f49..d71eb9d 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -1135,7 +1135,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
 		src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
 		if (!src)
 			return -ENOMEM;
-		assoc = (src + req->cryptlen + auth_tag_len);
+		assoc = (src + req->cryptlen);
 		scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
 		scatterwalk_map_and_copy(assoc, req->assoc, 0,
 			req->assoclen, 0);
@@ -1160,7 +1160,7 @@ static int __driver_rfc4106_decrypt(struct aead_request *req)
 		scatterwalk_done(&src_sg_walk, 0, 0);
 		scatterwalk_done(&assoc_sg_walk, 0, 0);
 	} else {
-		scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
+		scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
 		kfree(src);
 	}
 	return retval;
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH v2] crypto: AES-NI - fix memory usage in GCM decryption
  2015-03-12  8:17 [PATCH v2] crypto: AES-NI - fix memory usage in GCM decryption Stephan Mueller
@ 2015-03-13 10:33 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2015-03-13 10:33 UTC (permalink / raw)
  To: Stephan Mueller; +Cc: tadeusz.struk, linux-crypto, 'LKML'

On Thu, Mar 12, 2015 at 09:17:51AM +0100, Stephan Mueller wrote:
> The kernel crypto API logic requires the caller to provide the
> length of (ciphertext || authentication tag) as cryptlen for the
> AEAD decryption operation. Thus, the cipher implementation must
> calculate the size of the plaintext output itself and cannot simply use
> cryptlen.
> 
> The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
> in req->dst. As the destination buffer for decryption only needs to hold
> the plaintext memory but cryptlen references the input buffer holding
> (ciphertext || authentication tag), the assumption of the destination
> buffer length in RFC4106 GCM operation leads to a too large size. This
> patch simply uses the already calculated plaintext size.
> 
> In addition, this patch fixes the offset calculation of the AAD buffer
> pointer: as mentioned before, cryptlen already includes the size of the
> tag. Thus, the tag does not need to be added. With the addition, the AAD
> will be written beyond the already allocated buffer.
> 
> Note, this fixes a kernel crash that can be triggered from user space
> via AF_ALG(aead) -- simply use the libkcapi test application
> from [1] and update it to use rfc4106-gcm-aes.
> 
> Using [1], the changes were tested using CAVS vectors to demonstrate
> that the crypto operation still delivers the right results.
> 
> [1] http://www.chronox.de/libkcapi.html
> 
> CC: Tadeusz Struk <tadeusz.struk@intel.com>
> Signed-off-by: Stephan Mueller <smueller@chronox.de>

Patch applied.  Thanks!
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-03-13 10:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-12  8:17 [PATCH v2] crypto: AES-NI - fix memory usage in GCM decryption Stephan Mueller
2015-03-13 10:33 ` Herbert Xu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.