From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,T_DKIMWL_WL_HIGH,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3F82C2BCA1 for ; Sun, 9 Jun 2019 17:14:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 933C4205F4 for ; Sun, 9 Jun 2019 17:14:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560100472; bh=SJ3bvGNHGX5MTf8QAP45iUrPWgiuSOwtd791qLhdx14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=lZW6VxwrcQQZLKJvNaiy34tCEEi8JN06uPcPiig2QleVlEVLxMAlHah89QXg9qHa5 77WHAYl9K5uexXB9y6nuCRknaB9ghyUF29Q97CeR1cbZR7YGZrtlwV6e60Z4DgqYGW iyhS4m1mVWMMelvnD1pxyVKQv8ss8so5TR9QlFB8= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733013AbfFIQ4f (ORCPT ); Sun, 9 Jun 2019 12:56:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:59096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732614AbfFIQ4c (ORCPT ); Sun, 9 Jun 2019 12:56:32 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D8E86206C3; Sun, 9 Jun 2019 16:56:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560099391; bh=SJ3bvGNHGX5MTf8QAP45iUrPWgiuSOwtd791qLhdx14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mXFJ+79LUTqht0y4qHv4KZl8nmDyXBfYaYI+zM+ogXbMjRiPvs+NfKH9C1k8MERsP zErDyQ1ekx9SGU6ohlArHi3KjlN0vrcWlJNjP7LAMkT49nsKzE8v8sN8Q68YagPf36 FSysoM1F9YhdAVjh+z4KSjr12+c6SWAwxnCGyncU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Herbert Xu Subject: [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv Date: Sun, 9 Jun 2019 18:39:27 +0200 Message-Id: <20190609164148.506134155@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190609164147.729157653@linuxfoundation.org> References: <20190609164147.729157653@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. salsa20-generic doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup and convert to skcipher API"). Since salsa20-generic does not update the IV and does not need any IV alignment, update it to use req->iv instead of walk.iv. Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/salsa20_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/crypto/salsa20_generic.c +++ b/crypto/salsa20_generic.c @@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc blkcipher_walk_init(&walk, dst, src, nbytes); err = blkcipher_walk_virt_block(desc, &walk, 64); - salsa20_ivsetup(ctx, walk.iv); + salsa20_ivsetup(ctx, desc->info); while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,