[PATCH 3.18 33/90] crypto: lrw - Fix out-of bounds access on counter overflow

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>,
	Ondrej Mosnacek <omosnace@redhat.com>,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 3.18 33/90] crypto: lrw - Fix out-of bounds access on counter overflow
Date: Mon, 19 Nov 2018 17:29:15 +0100	[thread overview]
Message-ID: <20181119162626.228476726@linuxfoundation.org> (raw)
In-Reply-To: <20181119162620.585061184@linuxfoundation.org>

3.18-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ondrej Mosnacek <omosnace@redhat.com>

commit fbe1a850b3b1522e9fc22319ccbbcd2ab05328d2 upstream.

When the LRW block counter overflows, the current implementation returns
128 as the index to the precomputed multiplication table, which has 128
entries. This patch fixes it to return the correct value (127).

Fixes: 64470f1b8510 ("[CRYPTO] lrw: Liskov Rivest Wagner, a tweakable narrow block cipher mode")
Cc: <stable@vger.kernel.org> # 2.6.20+
Reported-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 crypto/lrw.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/crypto/lrw.c
+++ b/crypto/lrw.c
@@ -132,7 +132,12 @@ static inline int get_index128(be128 *bl
 		return x + ffz(val);
 	}
 
-	return x;
+	/*
+	 * If we get here, then x == 128 and we are incrementing the counter
+	 * from all ones to all zeros. This means we must return index 127, i.e.
+	 * the one corresponding to key2*{ 1,...,1 }.
+	 */
+	return 127;
 }
 
 static int crypt(struct blkcipher_desc *d,

next prev parent reply	other threads:[~2018-11-19 17:05 UTC|newest]

Thread overview: 103+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 16:28 [PATCH 3.18 00/90] 3.18.126-stable review Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 01/90] bcache: fix miss key refill->end in writeback Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 02/90] jffs2: free jffs2_sb_info through jffs2_kill_sb() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 03/90] pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 04/90] ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 05/90] x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 06/90] sparc: Fix single-pcr perf event counter management Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 07/90] sparc: Throttle perf events properly Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 08/90] net: qla3xxx: Remove overflowing shift statement Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 09/90] selftests: ftrace: Add synthetic event syntax testcase Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 10/90] locking/lockdep: Fix debug_locks off performance problem Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 11/90] ataflop: fix error handling during setup Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 12/90] swim: fix cleanup on setup error Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 13/90] tun: Consistently configure generic netdev params via rtnetlink Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 14/90] perf tools: Free temporary sys string in read_event_files() Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 15/90] perf tools: Cleanup trace-event-info tdata leak Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 16/90] cpupower: Fix coredump on VMWare Greg Kroah-Hartman
2018-11-19 18:11   ` Prarit Bhargava
2018-11-20  8:49     ` Greg Kroah-Hartman
2018-11-19 16:28 ` [PATCH 3.18 17/90] mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 18/90] x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 19/90] x86: boot: Fix EFI stub alignment Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 20/90] kprobes: Return error if we fail to reuse kprobe instead of BUG_ON() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 21/90] ath10k: schedule hardware restart if WMI command times out Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 22/90] scsi: esp_scsi: Track residual for PIO transfers Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 23/90] ext4: fix argument checking in EXT4_IOC_MOVE_EXT Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 24/90] usb: chipidea: Prevent unbalanced IRQ disable Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 25/90] uio: ensure class is registered before devices Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 26/90] scsi: lpfc: Correct soft lockup when running mds diagnostics Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 27/90] signal: Always deliver the kernels SIGKILL and SIGSTOP to a pid namespace init Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 28/90] net/ipv4: defensive cipso option parsing Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 29/90] jbd2: fix use after free in jbd2_log_do_checkpoint() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 30/90] gfs2_meta: ->mount() can get NULL dev_name Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 31/90] ext4: initialize retries variable in ext4_da_write_inline_data_begin() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 32/90] signal/GenWQE: Fix sending of SIGKILL Greg Kroah-Hartman
2018-11-19 16:29 ` Greg Kroah-Hartman [this message]
2018-11-19 16:29 ` [PATCH 3.18 34/90] ima: fix showing large violations or runtime_measurements_count Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 35/90] kbuild: fix kernel/bounds.c W=1 warning Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 36/90] iio: adc: at91: fix acking DRDY irq on simple conversions Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 37/90] iio: adc: at91: fix wrong channel number in triggered buffer mode Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 38/90] w1: omap-hdq: fix missing bus unregister at removal Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 39/90] smb3: allow stats which track session and share reconnects to be reset Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 40/90] smb3: do not attempt cifs operation in smb3 query info error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 41/90] smb3: on kerberos mount if server doesnt specify auth type use krb5 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 42/90] printk: Fix panic caused by passing log_buf_len to command line Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 43/90] NFSv4.1: Fix the r/wsize checking Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 44/90] nfsd: Fix an Oops in free_session() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 45/90] lockd: fix access beyond unterminated strings in prints Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 46/90] dm ioctl: harden copy_params()s copy_from_user() from malicious users Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 47/90] TC: Set DMA masks for devices Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 48/90] kgdboc: Passing ekgdboc to command line causes panic Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 49/90] media: em28xx: use a default format if TRY_FMT fails Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 50/90] media: em28xx: fix input name for Terratec AV 350 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 51/90] media: em28xx: make v4l2-compliance happier by starting sequence on zero Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 52/90] Cramfs: fix abad comparison when wrap-arounds occur Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 53/90] dm: remove duplicate dm_get_live_table() in __dm_destroy() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 54/90] tty: check name length in tty_find_polling_driver() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 55/90] powerpc/nohash: fix undefined behaviour when testing page size support Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 56/90] drm/omap: fix memory barrier bug in DMM driver Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 57/90] media: pci: cx23885: handle adding to list failure Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 58/90] MIPS: kexec: Mark CPU offline before disabling local IRQ Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 59/90] powerpc/boot: Ensure _zimage_start is a weak symbol Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 60/90] media: tvp5150: fix width alignment during set_selection() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 61/90] 9p: clear dangling pointers in p9stat_free Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 62/90] cdrom: fix improper type cast, which can leat to information leak Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 63/90] xtensa: fix boot parameters address translation Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 64/90] clk: s2mps11: Fix matching when built as module and DT node contains compatible Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 65/90] libceph: bump CEPH_MSG_MAX_DATA_LEN Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 66/90] mach64: fix display corruption on big endian machines Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 67/90] mach64: fix image corruption due to reading accelerator registers Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 68/90] ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 69/90] mtd: docg3: dont set conflicting BCH_CONST_PARAMS option Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 70/90] termios, tty/tty_baudrate.c: fix buffer overrun Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 71/90] arch/alpha, termios: implement BOTHER, IBSHIFT and termios2 Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 72/90] ext4: add missing brelse() update_backups()s error path Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 73/90] ext4: add missing brelse() in set_flexbg_block_bitmap()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 74/90] ext4: add missing brelse() add_new_gdb_meta_bg()s " Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 75/90] ext4: avoid potential extra brelse in setup_new_flex_group_blocks() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 76/90] ext4: fix possible inode leak in the retry loop of ext4_resize_fs() Greg Kroah-Hartman
2018-11-19 16:29 ` [PATCH 3.18 77/90] ext4: avoid buffer leak in ext4_orphan_add() after prior errors Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 78/90] ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 79/90] ext4: avoid possible double brelse() in add_new_gdb() on error path Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 80/90] ext4: fix possible leak of sbi->s_group_desc_leak in " Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 81/90] ext4: release bs.bh before re-using in ext4_xattr_block_find() Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 82/90] ext4: fix buffer leak in ext4_xattr_move_to_block() on error path Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 83/90] ext4: fix buffer leak in __ext4_read_dirblock() " Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 84/90] mount: Retest MNT_LOCKED in do_umount Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 85/90] mount: Dont allow copying MNT_UNBINDABLE|MNT_LOCKED mounts Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 86/90] mount: Prevent MNT_DETACH from disconnecting locked mounts Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 87/90] sunrpc: correct the computation for page_ptr when truncating Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 88/90] fuse: fix leaked notify reply Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 89/90] configfs: replace strncpy with memcpy Greg Kroah-Hartman
2018-11-19 16:30 ` [PATCH 3.18 90/90] hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444! Greg Kroah-Hartman
2018-11-20  0:09 ` [PATCH 3.18 00/90] 3.18.126-stable review shuah
2018-11-20  7:49   ` Greg Kroah-Hartman
2018-11-20 10:39 ` Harsh Shandilya
2018-11-20 11:16   ` Greg Kroah-Hartman
     [not found]     ` <D161C16F-60D6-4C60-B065-C780BD3DCF55@prjkt.io>
2018-11-20 16:40       ` Greg Kroah-Hartman
2018-11-20 16:58 ` Guenter Roeck
2018-11-20 20:38 ` Guenter Roeck
2018-11-21 10:37   ` Greg Kroah-Hartman
2018-11-21 23:40     ` Guenter Roeck
2018-11-22  6:30       ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181119162626.228476726@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ebiggers@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=omosnace@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).