From patchwork Mon Dec 11 20:15:17 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 10105759 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A5FA060751 for ; Mon, 11 Dec 2017 20:17:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 91E0A2989E for ; Mon, 11 Dec 2017 20:17:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 86888298A1; Mon, 11 Dec 2017 20:17:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 09C602989E for ; Mon, 11 Dec 2017 20:17:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751434AbdLKURK (ORCPT ); Mon, 11 Dec 2017 15:17:10 -0500 Received: from mail-it0-f66.google.com ([209.85.214.66]:35622 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750886AbdLKURJ (ORCPT ); Mon, 11 Dec 2017 15:17:09 -0500 Received: by mail-it0-f66.google.com with SMTP id f143so18849837itb.0; Mon, 11 Dec 2017 12:17:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=2qSBH7orplHT4OD8nHf1r/0rhdDDW5zMjrPxb/65Frc=; b=cVZeQNW4Xh1pUOPq+ReCexxst1bwKvTJGbZ2Eh3xzUUsunYkkyfo5szI5+nKQxbowA 1ieWj4BK1fJVYS1CtLnN8BDC+XtSMgZd3L4BCR5q8+9TYxOytjqum5KJhfdWKxrGMJKB uSTZkDOce8ACmbAXZDf9G8OpR+ph0GGpxR3CAb6XZWjB8ezRB/RYxwYm8geSJ65m9pwI kBf0z+lLaof6KAY7ZfKPzxxRXx7A4256aD73Bg5e87xiQWM/iOq8Yq6b2KMZDwwf/vr8 WEL0m/QVuHmQhim1FdGp3KHsJz81e9CVXQyq17zW2aSzYDJxkbonBpU3JDowZkulQe25 5PIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=2qSBH7orplHT4OD8nHf1r/0rhdDDW5zMjrPxb/65Frc=; b=VeOCXRF9Fejf1y84kGew1HwUUBde5pNJZbJYGDfBWKnYV/sRDHEm2vakGHl9rwoidg E/kf03lKCFw/SY++0wbDnOy0ZFVQhRP9PDDwAb10VUDwSYspTpA9piOi0ekyh7VNUaTu yUQLZ+bft0hiIe3zcSfXXR0hmBsGf/3ryRi7GljdgUXzCPE+kGfVHDtvEG6Jx0YHhFXF 5W/mO0g6JLqkjzt19TA4oLcUVLh8b4CCCMRlh+Hczn2+uOca2uqpfLdS5Lgn4Yxo8WLB azid4Kt6tBzmpL4tMS4u2BtwVBgE6nu23fyiIOilklHUvYrP83lbTGiTJVtxG7lbtNpt vbZQ== X-Gm-Message-State: AKGB3mI6Ir/0BXq7jn5fR4kC1DwyO5k8/Q8ZM/YjJmOOEmqH/9oRfDfv N/84bKEIPxntRIULdtZFweSlYnt/ X-Google-Smtp-Source: ACJfBos9SiX9xPcEkQPezsAvdgLEJYSGgHBfQ56G/nmRjhYdk8vFb7qUn/P4G+MkTUy51dy02gYUjQ== X-Received: by 10.107.202.71 with SMTP id a68mr2068036iog.118.1513023428515; Mon, 11 Dec 2017 12:17:08 -0800 (PST) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.175.88]) by smtp.gmail.com with ESMTPSA id o71sm2774250itb.28.2017.12.11.12.17.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 11 Dec 2017 12:17:07 -0800 (PST) From: Eric Biggers To: linux-crypto@vger.kernel.org, Herbert Xu Cc: Martin Willi , Steffen Klassert , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, davem@davemloft.net, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] crypto: chacha20poly1305 - validate the digest size Date: Mon, 11 Dec 2017 12:15:17 -0800 Message-Id: <20171211201517.46407-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1.424.g9478a66081-goog In-Reply-To: <94eb2c05a380bd8f2a055ffc6de5@google.com> References: <94eb2c05a380bd8f2a055ffc6de5@google.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers If the rfc7539 template was instantiated with a hash algorithm with digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the subsequent memory, including 'cryptlen'. This caused a crash during crypto_skcipher_decrypt(). Fix it by, when instantiating the template, requiring that the underlying hash algorithm has the digest size expected for Poly1305. Reproducer: #include #include #include int main() { int algfd, reqfd; struct sockaddr_alg addr = { .salg_type = "aead", .salg_name = "rfc7539(chacha20,sha256)", }; unsigned char buf[32] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (void *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf)); reqfd = accept(algfd, 0, 0); write(reqfd, buf, 16); read(reqfd, buf, 16); } Reported-by: syzbot Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539") Cc: # v4.2+ Signed-off-by: Eric Biggers --- crypto/chacha20poly1305.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/crypto/chacha20poly1305.c b/crypto/chacha20poly1305.c index db1bc3147bc4..600afa99941f 100644 --- a/crypto/chacha20poly1305.c +++ b/crypto/chacha20poly1305.c @@ -610,6 +610,11 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, algt->mask)); if (IS_ERR(poly)) return PTR_ERR(poly); + poly_hash = __crypto_hash_alg_common(poly); + + err = -EINVAL; + if (poly_hash->digestsize != POLY1305_DIGEST_SIZE) + goto out_put_poly; err = -ENOMEM; inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL); @@ -618,7 +623,6 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb, ctx = aead_instance_ctx(inst); ctx->saltlen = CHACHAPOLY_IV_SIZE - ivsize; - poly_hash = __crypto_hash_alg_common(poly); err = crypto_init_ahash_spawn(&ctx->poly, poly_hash, aead_crypto_instance(inst)); if (err)