[PATCH 3.14 59/79] crypto: aesni - fix memory usage in GCM decryption

From: Greg Kroah-Hartman
Date: Tue Mar 24 2015 - 13:01:44 EST

Next message: Greg Kroah-Hartman: "[PATCH 3.14 77/79] target: Avoid dropping AllRegistrants reservation during unregister"
Previous message: Greg Kroah-Hartman: "[PATCH 3.14 76/79] target: Fix R_HOLDER bit usage for AllRegistrants"
In reply to: Greg Kroah-Hartman: "[PATCH 3.14 76/79] target: Fix R_HOLDER bit usage for AllRegistrants"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.14 77/79] target: Avoid dropping AllRegistrants reservation during unregister"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.14-stable review patch. If anyone has any objections, please let me know.

------------------

From: Stephan Mueller <smueller@xxxxxxxxxx>

commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream.

The kernel crypto API logic requires the caller to provide the
length of (ciphertext || authentication tag) as cryptlen for the
AEAD decryption operation. Thus, the cipher implementation must
calculate the size of the plaintext output itself and cannot simply use
cryptlen.

The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
in req->dst. As the destination buffer for decryption only needs to hold
the plaintext memory but cryptlen references the input buffer holding
(ciphertext || authentication tag), the assumption of the destination
buffer length in RFC4106 GCM operation leads to a too large size. This
patch simply uses the already calculated plaintext size.

In addition, this patch fixes the offset calculation of the AAD buffer
pointer: as mentioned before, cryptlen already includes the size of the
tag. Thus, the tag does not need to be added. With the addition, the AAD
will be written beyond the already allocated buffer.

Note, this fixes a kernel crash that can be triggered from user space
via AF_ALG(aead) -- simply use the libkcapi test application
from [1] and update it to use rfc4106-gcm-aes.

Using [1], the changes were tested using CAVS vectors to demonstrate
that the crypto operation still delivers the right results.

[1] http://www.chronox.de/libkcapi.html

CC: Tadeusz Struk <tadeusz.struk@xxxxxxxxx>
Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx>
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
arch/x86/crypto/aesni-intel_glue.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -1109,7 +1109,7 @@ static int __driver_rfc4106_decrypt(stru
src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
if (!src)
return -ENOMEM;
- assoc = (src + req->cryptlen + auth_tag_len);
+ assoc = (src + req->cryptlen);
scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
scatterwalk_map_and_copy(assoc, req->assoc, 0,
req->assoclen, 0);
@@ -1134,7 +1134,7 @@ static int __driver_rfc4106_decrypt(stru
scatterwalk_done(&src_sg_walk, 0, 0);
scatterwalk_done(&assoc_sg_walk, 0, 0);
} else {
- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
+ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
kfree(src);
}
return retval;

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "[PATCH 3.14 77/79] target: Avoid dropping AllRegistrants reservation during unregister"
Previous message: Greg Kroah-Hartman: "[PATCH 3.14 76/79] target: Fix R_HOLDER bit usage for AllRegistrants"
In reply to: Greg Kroah-Hartman: "[PATCH 3.14 76/79] target: Fix R_HOLDER bit usage for AllRegistrants"
Next in thread: Greg Kroah-Hartman: "[PATCH 3.14 77/79] target: Avoid dropping AllRegistrants reservation during unregister"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]