From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS,T_DKIMWL_WL_HIGH,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFE41C468BE for ; Sun, 9 Jun 2019 17:14:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AE83B205F4 for ; Sun, 9 Jun 2019 17:14:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560100475; bh=SJ3bvGNHGX5MTf8QAP45iUrPWgiuSOwtd791qLhdx14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=iT7oBJmVEj/ZpPsb/p/tZo682cv5lHeEdRfwzb4/S5sK1fg+owuDRPTJBNaGdvRYY 2eUfJigzS4y/1sBuw1AwEVXrsO7OwxXzmCsHMw2LN5Ac3ChXNygdBSulWn8PPOlKbD eJ4NmVAPOFpUPB1jdDL0Mo5EqcxsmoHKM6Y60FEo= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732601AbfFIQ4c (ORCPT ); Sun, 9 Jun 2019 12:56:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:59096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732614AbfFIQ4c (ORCPT ); Sun, 9 Jun 2019 12:56:32 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D8E86206C3; Sun, 9 Jun 2019 16:56:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1560099391; bh=SJ3bvGNHGX5MTf8QAP45iUrPWgiuSOwtd791qLhdx14=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mXFJ+79LUTqht0y4qHv4KZl8nmDyXBfYaYI+zM+ogXbMjRiPvs+NfKH9C1k8MERsP zErDyQ1ekx9SGU6ohlArHi3KjlN0vrcWlJNjP7LAMkT49nsKzE8v8sN8Q68YagPf36 FSysoM1F9YhdAVjh+z4KSjr12+c6SWAwxnCGyncU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Herbert Xu Subject: [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv Date: Sun, 9 Jun 2019 18:39:27 +0200 Message-Id: <20190609164148.506134155@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190609164147.729157653@linuxfoundation.org> References: <20190609164147.729157653@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Biggers commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream. If the user-provided IV needs to be aligned to the algorithm's alignmask, then skcipher_walk_virt() copies the IV into a new aligned buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then if the caller unconditionally accesses walk.iv, it's a use-after-free. salsa20-generic doesn't set an alignmask, so currently it isn't affected by this despite unconditionally accessing walk.iv. However this is more subtle than desired, and it was actually broken prior to the alignmask being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup and convert to skcipher API"). Since salsa20-generic does not update the IV and does not need any IV alignment, update it to use req->iv instead of walk.iv. Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- crypto/salsa20_generic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/crypto/salsa20_generic.c +++ b/crypto/salsa20_generic.c @@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc blkcipher_walk_init(&walk, dst, src, nbytes); err = blkcipher_walk_virt_block(desc, &walk, 64); - salsa20_ivsetup(ctx, walk.iv); + salsa20_ivsetup(ctx, desc->info); while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,