| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130825161313.GD5171@amd.pavel.ucw.cz> Date: Sun, 25 Aug 2013 18:13:13 +0200 From: Pavel Machek <pavel@....cz> To: "Lee, Chun-Yi" <joeyli.kernel@...il.com> Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org, linux-pm@...r.kernel.org, linux-crypto@...r.kernel.org, opensuse-kernel@...nsuse.org, David Howells <dhowells@...hat.com>, "Rafael J. Wysocki" <rjw@...k.pl>, Matthew Garrett <mjg59@...f.ucam.org>, Len Brown <len.brown@...el.com>, Josh Boyer <jwboyer@...hat.com>, Vojtech Pavlik <vojtech@...e.cz>, Matt Fleming <matt.fleming@...el.com>, James Bottomley <james.bottomley@...senpartnership.com>, Greg KH <gregkh@...uxfoundation.org>, JKosina@...e.com, Rusty Russell <rusty@...tcorp.com.au>, Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, "H. Peter Anvin" <hpa@...or.com>, Michal Marek <mmarek@...e.cz>, Gary Lin <GLin@...e.com>, Vivek Goyal <vgoyal@...hat.com>, "Lee, Chun-Yi" <jlee@...e.com> Subject: Re: [PATCH 07/18] asymmetric keys: explicitly add the leading zero byte to encoded message On Thu 2013-08-22 19:01:46, Lee, Chun-Yi wrote: > Per PKCS1 spec, the EMSA-PKCS1-v1_5 encoded message is leading by 0x00 0x01 in > its first 2 bytes. The leading zero byte is suppressed by MPI so we pass a > pointer to the _preceding_ byte to RSA_verify() in original code, but it has > risk for the byte is not zero because it's not in EM buffer's scope, neither > RSA_verify() nor mpi_get_buffer() didn't take care the leading byte. > > To avoid the risk, that's better we explicitly add the leading zero byte to EM > for pass to RSA_verify(). This patch allocate a _EM buffer to capture the > result from RSA_I2OSP(), then set the first byte to zero in EM and copy the > remaining bytes from _EM. > > Reviewed-by: Jiri Kosina <jkosina@...e.cz> > Signed-off-by: Lee, Chun-Yi <jlee@...e.com> > - ret = RSA_verify(H, EM - 1, k, sig->digest_size, > + EM = kmalloc(k, GFP_KERNEL); > + memset(EM, 0, 1); > + memcpy(EM + 1, _EM, k-1); > + kfree(_EM); Spot a crash waiting to happen. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists