From patchwork Mon Nov 6 02:30:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10042535 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B5DD7601EB for ; Mon, 6 Nov 2017 02:31:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C322C28D7A for ; Mon, 6 Nov 2017 02:31:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B71B428EF9; Mon, 6 Nov 2017 02:31:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 196D528D7A for ; Mon, 6 Nov 2017 02:31:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751744AbdKFCbc (ORCPT ); Sun, 5 Nov 2017 21:31:32 -0500 Received: from mail-pf0-f196.google.com ([209.85.192.196]:56763 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751134AbdKFCbW (ORCPT ); Sun, 5 Nov 2017 21:31:22 -0500 Received: by mail-pf0-f196.google.com with SMTP id b85so6609917pfj.13; Sun, 05 Nov 2017 18:31:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7LN/hAPRSPuwEWkNf/+C0CoG/JNZ0KjAykpIMh54fic=; b=bNsmtzitkiUUkusWhTHBhJs2I2GZwnbd8FoYMo99R8Dl3vJajVOwjyX9XHsLbshLNf 7wu38HC2RI+Fn/QFgnp70BdPPqeyJXEIuIUxIuEF9k5UWq+PxWuG0wbC1NCm/yMWWOzZ 8lSAvGpxRTbWV5OgFS/pzaVimfXuQ6san6It1ewJa4vU+Wokq+gmH8DxKa0P+XajO06V i2B28d1pfli+6vrn6QvlwR5JN/CUvFjDG1o7VsZY8MDL+BbQ1cOtvibc9FuRnAt20XmN cqhtMU/NMz01twfcJyebal12RS3Azc5SqYeSlMRu8CdiJu+IPz+OB4thojKnVZUxntur jCUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7LN/hAPRSPuwEWkNf/+C0CoG/JNZ0KjAykpIMh54fic=; b=hgZn7ZPjl9+Skfn9VWp4LYoNFsTb0tNcQ4WM/pZ8holS8eM0iHEowStGG9g+xBQGDv MaxOmmGr9dlneb173C9MwXxLlUsB5tryfkZdqsFITyqUbmkH8msc398NVqqFTBgFdGss UJ3sQjoXqkrRUYTBIkik+ZCI8keo8TN+ZprAbnkYiS+KUG5kLiXL+DjmHI0nEgZiDR6A QmrC0fIToEFZX+ywi6TghYtRvS78tHYsqsHs//nQZsZtjXQVsPX/RbnGmYwYObOxgbQk 7j3s7RXZboJU1iPWY16JtZMZ7jVOu0EB4zs7l+PPEpWS+js77XGccLV9CC8I0xT9fYb6 un8w== X-Gm-Message-State: AMCzsaXCjFMLp2ezDeUncCaZCwhIEDkHeDOSh0KhKSo4tdQqdCzcfhvY PMVsRzL17V+5Ka3+8bguEeh8IGvj X-Google-Smtp-Source: ABhQp+QYmaoHohluo/zoJvpI4/FdjiMcS4flIqbCbg33eFBmJ6ChalnNoCnjxP7URM2ZNr60uaz3yQ== X-Received: by 10.99.100.67 with SMTP id y64mr14222915pgb.349.1509935481835; Sun, 05 Nov 2017 18:31:21 -0800 (PST) Received: from zzz.hsd1.wa.comcast.net (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id e71sm23012520pfk.55.2017.11.05.18.31.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 Nov 2017 18:31:21 -0800 (PST) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: Giovanni Cabiddu , Salvatore Benedetto , Tudor-Dan Ambarus , Mat Martineau , Stephan Mueller , qat-linux@intel.com, keyrings@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH v2 2/5] crypto: dh - Don't permit 'p' to be 0 Date: Sun, 5 Nov 2017 18:30:45 -0800 Message-Id: <20171106023048.8067-3-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20171106023048.8067-1-ebiggers3@gmail.com> References: <20171106023048.8067-1-ebiggers3@gmail.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers If 'p' is 0 for the software Diffie-Hellman implementation, then dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes ZERO_SIZE_PTR to be passed to sg_init_one(), which with CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in sg_set_buf(). Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes no sense for any DH implementation because 'p' is supposed to be a prime number. Moreover, 'mod 0' is not mathematically defined. Bug report: kernel BUG at ./include/linux/scatterlist.h:140! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 task: ffff88006caac0c0 task.stack: ffff88006c7c8000 RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline] RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216 RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0 RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30 R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30 R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50 FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0 Call Trace: __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360 keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434 SYSC_keyctl security/keys/keyctl.c:1745 [inline] SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4585c9 RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9 RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017 RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000 Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20 RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08 RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08 Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") Cc: # v4.8+ Reviewed-by: Tudor Ambarus Signed-off-by: Eric Biggers --- crypto/dh_helper.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c index 8ba8a3f82620..708ae20d2d3c 100644 --- a/crypto/dh_helper.c +++ b/crypto/dh_helper.c @@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf, unsigned int len, struct dh *params) params->p = (void *)(ptr + params->key_size); params->g = (void *)(ptr + params->key_size + params->p_size); + /* + * Don't permit 'p' to be 0. It's not a prime number, and it's subject + * to corner cases such as 'mod 0' being undefined or + * crypto_kpp_maxsize() returning 0. + */ + if (memchr_inv(params->p, 0, params->p_size) == NULL) + return -EINVAL; + return 0; } EXPORT_SYMBOL_GPL(crypto_dh_decode_key);