From patchwork Wed Nov 29 04:56:59 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10081443 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2DA3D60353 for ; Wed, 29 Nov 2017 04:59:21 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F45A295B1 for ; Wed, 29 Nov 2017 04:59:21 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 13816295B5; Wed, 29 Nov 2017 04:59:21 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 88EAE295B1 for ; Wed, 29 Nov 2017 04:59:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751660AbdK2E7T (ORCPT ); Tue, 28 Nov 2017 23:59:19 -0500 Received: from mail-pl0-f66.google.com ([209.85.160.66]:36344 "EHLO mail-pl0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751395AbdK2E7S (ORCPT ); Tue, 28 Nov 2017 23:59:18 -0500 Received: by mail-pl0-f66.google.com with SMTP id b12so1400572plm.3; Tue, 28 Nov 2017 20:59:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=yce6EaxGRDVedUv1YRNzS+bVAI9Zoi8AVwE56yQIeIw=; b=sqBEhVFbLeecrYtvRmcFC2s+t5x8f7SPogqy4nAs0LTuD6FkXMjUNHiFzdIrhOIy1s bJwqp5+RDLDwgCz2BwLQ+jtE232ilCzCLCIPwUqA1sYcpEx3N1fN3uhPfTWVukEZnmPy HNr/azvzTA4Cf+DrEQUPH49lX0n5R3XbArQVUcCczQ5/7UJjZRtLlStipM3LI8jNwtrm pgP7E1pwAvgqLBVsJget+aCGXuerTigJndGj5zvtpTuJVzMJsEBUei+hvY/axGhb4fOl LdR0WM6LGGvXa8Y0PmdrYQN423dGawXnsM7GQyfUTDiCHGaYnvTO9LSoNSBnC9XXocmy FBTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=yce6EaxGRDVedUv1YRNzS+bVAI9Zoi8AVwE56yQIeIw=; b=OmJXvolbcoVlFnspsM5IQe6LZghUlFZG6IN5p68EXIsSZGjSEhfTDVREBR4KieCVxC iAro0ON3+5uL43kDadU91eQezwooreogqegDTZoOo6KA8vJ/OJdFLcvYNWJB8MrGIK3x vs/5Gy40hvJW52JUGbqPz/mlyI3sCEgpt9UOfNo9G23j7NmCXiksNU6Edk0re8iJ0Z/K 7CP/2FR28cbtkaTyovMGaGPns+cCLZcsyjtP2IwnrLaxiUEUg2yVM6YFikKsuMBhKp5D +3HYZlmmMkPUbcUtExR3/T2wOvdNwl5gV1F7IAnl5J2Y0hjoj+f7/FPb9evA8B/rM5GE /qGQ== X-Gm-Message-State: AJaThX5WMGZeiZ7cstegc09//SJjrIxoXkMAU6hmNtEGW/ls3hDECzOH XxoKfgqjF86V0ywPW+QJeGx70a9I X-Google-Smtp-Source: AGs4zMb3/8T5F/X0TSiX7LGOC7URW1cFPxfsVQ7jAyimbZxXEqLpkFGJNA4xUeQ9ALRFswbGfdeaxA== X-Received: by 10.84.130.104 with SMTP id 95mr1644186plc.151.1511931557308; Tue, 28 Nov 2017 20:59:17 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id q7sm938499pgf.26.2017.11.28.20.59.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Nov 2017 20:59:16 -0800 (PST) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: "David S . Miller" , linux-kernel@vger.kernel.org, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] crypto: salsa20 - fix blkcipher_walk API usage Date: Tue, 28 Nov 2017 20:56:59 -0800 Message-Id: <20171129045659.16372-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers When asked to encrypt or decrypt 0 bytes, both the generic and x86 implementations of Salsa20 crash in blkcipher_walk_done(), either when doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)', because walk->buffer and walk->page have not been initialized. The bug is that Salsa20 is calling blkcipher_walk_done() even when nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to be called when a nonzero number of bytes have been provided. The broken code is part of an optimization that tries to make only one call to salsa20_encrypt_bytes() to process inputs that are not evenly divisible by 64 bytes. To fix the bug, just remove this "optimization" and use the blkcipher_walk API the same way all the other users do. Reproducer: #include #include #include int main() { int algfd, reqfd; struct sockaddr_alg addr = { .salg_type = "skcipher", .salg_name = "salsa20", }; char key[16] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (void *)&addr, sizeof(addr)); reqfd = accept(algfd, 0, 0); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key)); read(reqfd, key, sizeof(key)); } Reported-by: syzbot Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing") Cc: # v2.6.25+ Signed-off-by: Eric Biggers --- arch/x86/crypto/salsa20_glue.c | 7 ------- crypto/salsa20_generic.c | 7 ------- 2 files changed, 14 deletions(-) diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c index 399a29d067d6..cb91a64a99e7 100644 --- a/arch/x86/crypto/salsa20_glue.c +++ b/arch/x86/crypto/salsa20_glue.c @@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc, salsa20_ivsetup(ctx, walk.iv); - if (likely(walk.nbytes == nbytes)) - { - salsa20_encrypt_bytes(ctx, walk.src.virt.addr, - walk.dst.virt.addr, nbytes); - return blkcipher_walk_done(desc, &walk, 0); - } - while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.src.virt.addr, walk.dst.virt.addr, diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c index f550b5d94630..d7da0eea5622 100644 --- a/crypto/salsa20_generic.c +++ b/crypto/salsa20_generic.c @@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc, salsa20_ivsetup(ctx, walk.iv); - if (likely(walk.nbytes == nbytes)) - { - salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, - walk.src.virt.addr, nbytes); - return blkcipher_walk_done(desc, &walk, 0); - } - while (walk.nbytes >= 64) { salsa20_encrypt_bytes(ctx, walk.dst.virt.addr, walk.src.virt.addr,