| Message ID | 20180607191201.97080-1-ebiggers3@gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
On Thu, Jun 7, 2018 at 12:12 PM, Eric Biggers <ebiggers3@gmail.com> wrote: > From: Eric Biggers <ebiggers@google.com> > > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > kdf_ctr() to assume that the length of key material to derive is a > multiple of the digest size. The length was supposed to be rounded up > accordingly. However, the round_up() macro was used which only gives > the correct result on power-of-2 arguments, whereas not all hash > algorithms have power-of-2 digest sizes. In some cases this resulted in > a write past the end of the 'outbuf' buffer. > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. round_up() vs roundup(). Wow, that's not confusing. :( I wonder if we should rename the former to roundup_pow2() or something? > Reported-by: syzbot+486f97f892efeb2075a3@syzkaller.appspotmail.com > Reported-by: syzbot+29d17b7898b41ee120a5@syzkaller.appspotmail.com > Reported-by: syzbot+8a608baf8751184ec727@syzkaller.appspotmail.com > Reported-by: syzbot+d04e58bd384f1fe0b112@syzkaller.appspotmail.com > Fixes: 383203eff718 ("dh key: get rid of stack allocated array") > Signed-off-by: Eric Biggers <ebiggers@google.com> Regardless: Acked-by: Kees Cook <keescook@chromium.org> -Kees > --- > security/keys/dh.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) > > diff --git a/security/keys/dh.c b/security/keys/dh.c > index f7403821db7f0..b203f7758f976 100644 > --- a/security/keys/dh.c > +++ b/security/keys/dh.c > @@ -142,6 +142,8 @@ static void kdf_dealloc(struct kdf_sdesc *sdesc) > * The src pointer is defined as Z || other info where Z is the shared secret > * from DH and other info is an arbitrary string (see SP800-56A section > * 5.8.1.2). > + * > + * 'dlen' must be a multiple of the digest size. > */ > static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, > u8 *dst, unsigned int dlen, unsigned int zlen) > @@ -205,8 +207,8 @@ static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, > { > uint8_t *outbuf = NULL; > int ret; > - size_t outbuf_len = round_up(buflen, > - crypto_shash_digestsize(sdesc->shash.tfm)); > + size_t outbuf_len = roundup(buflen, > + crypto_shash_digestsize(sdesc->shash.tfm)); > > outbuf = kmalloc(outbuf_len, GFP_KERNEL); > if (!outbuf) { > -- > 2.17.1.1185.g55be947832-goog >
On Thu, 7 Jun 2018, Kees Cook wrote: > On Thu, Jun 7, 2018 at 12:12 PM, Eric Biggers <ebiggers3@gmail.com> wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > > kdf_ctr() to assume that the length of key material to derive is a > > multiple of the digest size. The length was supposed to be rounded up > > accordingly. However, the round_up() macro was used which only gives > > the correct result on power-of-2 arguments, whereas not all hash > > algorithms have power-of-2 digest sizes. In some cases this resulted in > > a write past the end of the 'outbuf' buffer. > > > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. > > round_up() vs roundup(). Wow, that's not confusing. :( I wonder if we > should rename the former to roundup_pow2() or something? Good idea, in a separate patch(set).
On Thu, Jun 07, 2018 at 12:16:16PM -0700, Kees Cook wrote: > On Thu, Jun 7, 2018 at 12:12 PM, Eric Biggers <ebiggers3@gmail.com> wrote: > > From: Eric Biggers <ebiggers@google.com> > > > > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > > kdf_ctr() to assume that the length of key material to derive is a > > multiple of the digest size. The length was supposed to be rounded up > > accordingly. However, the round_up() macro was used which only gives > > the correct result on power-of-2 arguments, whereas not all hash > > algorithms have power-of-2 digest sizes. In some cases this resulted in > > a write past the end of the 'outbuf' buffer. > > > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. > > round_up() vs roundup(). Wow, that's not confusing. :( I wonder if we > should rename the former to roundup_pow2() or something? Yes, it's very confusing, and I wish the names were clearer, or that there was one macro that just did the right thing (but then the power-of-2 optimization could only be done for constants, where it might not be necessary anyway). roundup_pow2() would still be confused with roundup_pow_of_two(), unfortunately. Eric
On Thu, Jun 07, 2018 at 12:12:01PM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@google.com> > > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > kdf_ctr() to assume that the length of key material to derive is a > multiple of the digest size. The length was supposed to be rounded up > accordingly. However, the round_up() macro was used which only gives > the correct result on power-of-2 arguments, whereas not all hash > algorithms have power-of-2 digest sizes. In some cases this resulted in > a write past the end of the 'outbuf' buffer. > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. > > Reported-by: syzbot+486f97f892efeb2075a3@syzkaller.appspotmail.com > Reported-by: syzbot+29d17b7898b41ee120a5@syzkaller.appspotmail.com > Reported-by: syzbot+8a608baf8751184ec727@syzkaller.appspotmail.com > Reported-by: syzbot+d04e58bd384f1fe0b112@syzkaller.appspotmail.com > Fixes: 383203eff718 ("dh key: get rid of stack allocated array") > Signed-off-by: Eric Biggers <ebiggers@google.com> Arg, thanks. Acked-by: Tycho Andersen <tycho@tycho.ws>
Eric Biggers <ebiggers3@gmail.com> wrote: > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > kdf_ctr() to assume that the length of key material to derive is a > multiple of the digest size. The length was supposed to be rounded up > accordingly. However, the round_up() macro was used which only gives > the correct result on power-of-2 arguments, whereas not all hash > algorithms have power-of-2 digest sizes. In some cases this resulted in > a write past the end of the 'outbuf' buffer. > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. Applied.
Hi David, On Fri, Jun 08, 2018 at 04:37:58PM +0100, David Howells wrote: > Eric Biggers <ebiggers3@gmail.com> wrote: > > > Commit 383203eff718 ("dh key: get rid of stack allocated array") changed > > kdf_ctr() to assume that the length of key material to derive is a > > multiple of the digest size. The length was supposed to be rounded up > > accordingly. However, the round_up() macro was used which only gives > > the correct result on power-of-2 arguments, whereas not all hash > > algorithms have power-of-2 digest sizes. In some cases this resulted in > > a write past the end of the 'outbuf' buffer. > > > > Fix it by switching to roundup(), which works for non-power-of-2 inputs. > > Applied. Applied to where? When are you planning to send this to Linus? Note that this was a regression from v4.17 to v4.18-rc1. Thanks, - Eric
diff --git a/security/keys/dh.c b/security/keys/dh.c index f7403821db7f0..b203f7758f976 100644 --- a/security/keys/dh.c +++ b/security/keys/dh.c @@ -142,6 +142,8 @@ static void kdf_dealloc(struct kdf_sdesc *sdesc) * The src pointer is defined as Z || other info where Z is the shared secret * from DH and other info is an arbitrary string (see SP800-56A section * 5.8.1.2). + * + * 'dlen' must be a multiple of the digest size. */ static int kdf_ctr(struct kdf_sdesc *sdesc, const u8 *src, unsigned int slen, u8 *dst, unsigned int dlen, unsigned int zlen) @@ -205,8 +207,8 @@ static int keyctl_dh_compute_kdf(struct kdf_sdesc *sdesc, { uint8_t *outbuf = NULL; int ret; - size_t outbuf_len = round_up(buflen, - crypto_shash_digestsize(sdesc->shash.tfm)); + size_t outbuf_len = roundup(buflen, + crypto_shash_digestsize(sdesc->shash.tfm)); outbuf = kmalloc(outbuf_len, GFP_KERNEL); if (!outbuf) {