• Eric Biggers's avatar
    crypto: authenc - fix parsing key with misaligned rta_len · 461652ef
    Eric Biggers authored
    commit 8f9c469348487844328e162db57112f7d347c49f upstream.
    
    Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
    'enckeylen', followed by an authentication key and an encryption key.
    crypto_authenc_extractkeys() parses the key to find the inner keys.
    
    However, it fails to consider the case where the rtattr's payload is
    longer than 4 bytes but not 4-byte aligned, and where the key ends
    before the next 4-byte aligned boundary.  In this case, 'keylen -=
    RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
    causes a buffer overread and crash during crypto_ahash_setkey().
    
    Fix it by restricting the rtattr payload to the expected size.
    
    Reproducer using AF_ALG:
    
    	#include <linux/if_alg.h>
    	#include <linux/rtnetlink.h>
    	#include <sys/socket.h>
    
    	int main()
    	{
    		int fd;
    		struct sockaddr_alg addr = {
    			.salg_type = "aead",
    			.salg_name = "authenc(hmac(sha256),cbc(aes))",
    		};
    		struct {
    			struct rtattr attr;
    			__be32 enckeylen;
    			char keys[1];
    		} __attribute__((packed)) key = {
    			.attr.rta_len = sizeof(key),
    			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
    		};
    
    		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
    		bind(fd, (void *)&addr, sizeof(addr));
    		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
    	}
    
    It caused:
    
    	BUG: unable to handle kernel paging request at ffff88007ffdc000
    	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
    	Oops: 0000 [#1] SMP
    	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37a7f27 #13
    	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
    	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
    	[...]
    	Call Trace:
    	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
    	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
    	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
    	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
    	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
    	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
    	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
    	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
    	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
    	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
    	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
    	 alg_setkey crypto/af_alg.c:223 [inline]
    	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
    	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
    	 __do_sys_setsockopt net/socket.c:1913 [inline]
    	 __se_sys_setsockopt net/socket.c:1910 [inline]
    	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
    	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
    	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    Fixes: e236d4a8 ("[CRYPTO] authenc: Move enckeylen into key itself")
    Cc: <stable@vger.kernel.org> # v2.6.25+
    Signed-off-by: 's avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: 's avatarHerbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    461652ef
Name
Last commit
Last update
..
asymmetric_keys Loading commit data...
async_tx Loading commit data...
.gitignore Loading commit data...
842.c Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
ablk_helper.c Loading commit data...
ablkcipher.c Loading commit data...
aead.c Loading commit data...
aes_generic.c Loading commit data...
af_alg.c Loading commit data...
ahash.c Loading commit data...
akcipher.c Loading commit data...
algapi.c Loading commit data...
algboss.c Loading commit data...
algif_aead.c Loading commit data...
algif_hash.c Loading commit data...
algif_rng.c Loading commit data...
algif_skcipher.c Loading commit data...
ansi_cprng.c Loading commit data...
anubis.c Loading commit data...
api.c Loading commit data...
arc4.c Loading commit data...
authenc.c Loading commit data...
authencesn.c Loading commit data...
blkcipher.c Loading commit data...
blowfish_common.c Loading commit data...
blowfish_generic.c Loading commit data...
camellia_generic.c Loading commit data...
cast5_generic.c Loading commit data...
cast6_generic.c Loading commit data...
cast_common.c Loading commit data...
cbc.c Loading commit data...
ccm.c Loading commit data...
chacha20_generic.c Loading commit data...
chacha20poly1305.c Loading commit data...
chainiv.c Loading commit data...
cipher.c Loading commit data...
cmac.c Loading commit data...
compress.c Loading commit data...
crc32.c Loading commit data...
crc32c_generic.c Loading commit data...
crct10dif_common.c Loading commit data...
crct10dif_generic.c Loading commit data...
cryptd.c Loading commit data...
crypto_null.c Loading commit data...
crypto_user.c Loading commit data...
crypto_wq.c Loading commit data...
ctr.c Loading commit data...
cts.c Loading commit data...
deflate.c Loading commit data...
des_generic.c Loading commit data...
drbg.c Loading commit data...
ecb.c Loading commit data...
echainiv.c Loading commit data...
eseqiv.c Loading commit data...
fcrypt.c Loading commit data...
fips.c Loading commit data...
gcm.c Loading commit data...
gf128mul.c Loading commit data...
ghash-generic.c Loading commit data...
hash_info.c Loading commit data...
hmac.c Loading commit data...
internal.h Loading commit data...
jitterentropy-kcapi.c Loading commit data...
jitterentropy.c Loading commit data...
keywrap.c Loading commit data...
khazad.c Loading commit data...
lrw.c Loading commit data...
lz4.c Loading commit data...
lz4hc.c Loading commit data...
lzo.c Loading commit data...
mcryptd.c Loading commit data...
md4.c Loading commit data...
md5.c Loading commit data...
memneq.c Loading commit data...
michael_mic.c Loading commit data...
pcbc.c Loading commit data...
pcompress.c Loading commit data...
pcrypt.c Loading commit data...
poly1305_generic.c Loading commit data...
proc.c Loading commit data...
ripemd.h Loading commit data...
rmd128.c Loading commit data...
rmd160.c Loading commit data...
rmd256.c Loading commit data...
rmd320.c Loading commit data...
rng.c Loading commit data...
rsa.c Loading commit data...
rsa_helper.c Loading commit data...
rsaprivkey.asn1 Loading commit data...
rsapubkey.asn1 Loading commit data...
salsa20_generic.c Loading commit data...
scatterwalk.c Loading commit data...
seed.c Loading commit data...
seqiv.c Loading commit data...
serpent_generic.c Loading commit data...
sha1_generic.c Loading commit data...
sha256_generic.c Loading commit data...
sha512_generic.c Loading commit data...
shash.c Loading commit data...
skcipher.c Loading commit data...
tcrypt.c Loading commit data...
tcrypt.h Loading commit data...
tea.c Loading commit data...
testmgr.c Loading commit data...
testmgr.h Loading commit data...
tgr192.c Loading commit data...
twofish_common.c Loading commit data...
twofish_generic.c Loading commit data...
vmac.c Loading commit data...
wp512.c Loading commit data...
xcbc.c Loading commit data...
xor.c Loading commit data...
xts.c Loading commit data...
zlib.c Loading commit data...