From patchwork Wed Nov 1 22:25:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10037693 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 143606032D for ; Wed, 1 Nov 2017 22:29:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 036C028C1D for ; Wed, 1 Nov 2017 22:29:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EC47328C2A; Wed, 1 Nov 2017 22:29:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8246E28C1D for ; Wed, 1 Nov 2017 22:29:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933508AbdKAW23 (ORCPT ); Wed, 1 Nov 2017 18:28:29 -0400 Received: from mail-io0-f194.google.com ([209.85.223.194]:51691 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933496AbdKAW20 (ORCPT ); Wed, 1 Nov 2017 18:28:26 -0400 Received: by mail-io0-f194.google.com with SMTP id b186so9524981iof.8; Wed, 01 Nov 2017 15:28:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=E1aco9OjgxPVPMZNxHTi4jU9n5hDclsTESRQJhyXyCc=; b=O+I4f52Hf7sdjdg5AAh+SQqDdrWCt9+9eU2FaRx+4Cf1X0rJe73nqvVdZToBkPX5eC xnA7F9UYfQq9xq8Z1xyfZrvUMuuhxeb9mTwjuqPAu9zNoEAIy7lCU4IrisCGHaItjPmD KCR8U7fiwTB6bj+pKZjccPHVfvubHooyxqXcPgnY/JX4oO12OcD4sAO3NZ7x+45QELSY BuodFuftVfhnSS2afx4sqmyh3Qlv9qQXR6cWCmTctVP6myJTaE/nO9BsVn+Dco38kejY a+XrAT3LVVtX3HCdjf6dddG9Hve1HeHeJIgVM9Ovney1oFsWsHzPhWf5fHoMkdzDgxHb Rg3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=E1aco9OjgxPVPMZNxHTi4jU9n5hDclsTESRQJhyXyCc=; b=I4MGUEouF1W1Kw/B3Pm1lB87mnHvlnvtXKXZaMCa/RTys0fRRabWKESQOUPm9iPx3J 7EoBGkBcdJXQ+aVJv8EGkLn1Eibp/lf9bHUYkqBRJZDbdX+l9YBjdHk8JhcogU53MBUZ 6tIoBC62YA5YTFj5U85eznn5wAqW/8BFRzcTA3MGtlHW/loo7zUPk+ROiMA2W6mtR7/s sxEzb3Vc0//pEFMAmjbdhakelxNNu05Qivx56ouH3HtoRBK0nCeK4LZXPlhiWhizV2Ho yQIBNAeTpbYybeac1OT79nY+AwoAZDTv5zkAP+F2fnWGQPVGUe54S8n6WqKPgKbMsuOW LdtA== X-Gm-Message-State: AJaThX6HtMAaSN04X5071lbF8QUVIy7GrMGAc7AHLD4Vo0oECG2DdXqh nRuEAHFCuNpEuOuU0JlejD88QaaH X-Google-Smtp-Source: ABhQp+Q/euuDaTQYq269RChXrF344+STXG88lKAwfIYNLHpvzHmsjwAeCbrIqSeks8R/STVgtCr8HA== X-Received: by 10.107.179.67 with SMTP id c64mr1859058iof.281.1509575305761; Wed, 01 Nov 2017 15:28:25 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88]) by smtp.gmail.com with ESMTPSA id z201sm753387iod.6.2017.11.01.15.28.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 01 Nov 2017 15:28:25 -0700 (PDT) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: keyrings@vger.kernel.org, Tudor-Dan Ambarus , Mat Martineau , Salvatore Benedetto , Stephan Mueller , Eric Biggers , stable@vger.kernel.org Subject: [PATCH 1/4] crypto: dh - fix double free of ctx->p Date: Wed, 1 Nov 2017 15:25:14 -0700 Message-Id: <20171101222517.41602-2-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0.403.gc27cc4dac6-goog In-Reply-To: <20171101222517.41602-1-ebiggers3@gmail.com> References: <20171101222517.41602-1-ebiggers3@gmail.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When setting the secret with the software Diffie-Hellman implementation, if allocating 'g' failed (e.g. if it was longer than MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and once later when the crypto_kpp tfm was destroyed. Fix it by using dh_free_ctx() in the error paths, as that sets the pointers to NULL. KASAN report: MPI: mpi too large (32760 bits) ================================================================== BUG: KASAN: use-after-free in mpi_free+0x131/0x170 Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367 CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0xb3/0x10b ? mpi_free+0x131/0x170 print_address_description+0x79/0x2a0 ? mpi_free+0x131/0x170 kasan_report+0x236/0x340 ? akcipher_register_instance+0x90/0x90 __asan_report_load4_noabort+0x14/0x20 mpi_free+0x131/0x170 ? akcipher_register_instance+0x90/0x90 dh_exit_tfm+0x3d/0x140 crypto_kpp_exit_tfm+0x52/0x70 crypto_destroy_tfm+0xb3/0x250 __keyctl_dh_compute+0x640/0xe90 ? kasan_slab_free+0x12f/0x180 ? dh_data_from_key+0x240/0x240 ? key_create_or_update+0x1ee/0xb20 ? key_instantiate_and_link+0x440/0x440 ? lock_contended+0xee0/0xee0 ? kfree+0xcf/0x210 ? SyS_add_key+0x268/0x340 keyctl_dh_compute+0xb3/0xf1 ? __keyctl_dh_compute+0xe90/0xe90 ? SyS_add_key+0x26d/0x340 ? entry_SYSCALL_64_fastpath+0x5/0xbe ? trace_hardirqs_on_caller+0x3f4/0x560 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x43ccf9 RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9 RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017 RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936 R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000 Allocated by task 367: save_stack_trace+0x16/0x20 kasan_kmalloc+0xeb/0x180 kmem_cache_alloc_trace+0x114/0x300 mpi_alloc+0x4b/0x230 mpi_read_raw_data+0xbe/0x360 dh_set_secret+0x1dc/0x460 __keyctl_dh_compute+0x623/0xe90 keyctl_dh_compute+0xb3/0xf1 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 367: save_stack_trace+0x16/0x20 kasan_slab_free+0xab/0x180 kfree+0xb5/0x210 mpi_free+0xcb/0x170 dh_set_secret+0x2d7/0x460 __keyctl_dh_compute+0x623/0xe90 keyctl_dh_compute+0xb3/0xf1 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") Cc: # v4.8+ Signed-off-by: Eric Biggers --- crypto/dh.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/crypto/dh.c b/crypto/dh.c index b1032a5c1bfa..b488f1782ced 100644 --- a/crypto/dh.c +++ b/crypto/dh.c @@ -71,10 +71,8 @@ static int dh_set_params(struct dh_ctx *ctx, struct dh *params) return -EINVAL; ctx->g = mpi_read_raw_data(params->g, params->g_size); - if (!ctx->g) { - mpi_free(ctx->p); + if (!ctx->g) return -EINVAL; - } return 0; } @@ -89,18 +87,20 @@ static int dh_set_secret(struct crypto_kpp *tfm, const void *buf, dh_free_ctx(ctx); if (crypto_dh_decode_key(buf, len, ¶ms) < 0) - return -EINVAL; + goto err_free_ctx; if (dh_set_params(ctx, ¶ms) < 0) - return -EINVAL; + goto err_free_ctx; ctx->xa = mpi_read_raw_data(params.key, params.key_size); - if (!ctx->xa) { - dh_clear_params(ctx); - return -EINVAL; - } + if (!ctx->xa) + goto err_free_ctx; return 0; + +err_free_ctx: + dh_free_ctx(ctx); + return -EINVAL; } static int dh_compute_value(struct kpp_request *req)