lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LRH.2.02.1611121511510.26536@file01.intranet.prod.int.rdu2.redhat.com>
Date:   Sat, 12 Nov 2016 15:20:54 -0500 (EST)
From:   Mikulas Patocka <mpatocka@...hat.com>
To:     Ondrej Kozina <okozina@...hat.com>,
        Mike Snitzer <msnitzer@...hat.com>,
        Alexey Dobriyan <adobriyan@...il.com>
cc:     dm-devel@...hat.com, linux-kernel@...r.kernel.org
Subject: dm-crypt accepts '+' in the key

Hi

dm-crypt uses the function kstrtou8 to decode the encryption key. kstrtou8 
calls kstrtoull and kstrtoull skips the first character if it is '+'.

Consequently, it is possible to load keys with '+' in it. For example, 
this is possible:

dmsetup create cr --table "0 131072 crypt aes-cbc-essiv:sha256 +0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0+0 0 /dev/debian/tmptest 0"

Should this be fixed in dm-crypt or in kstrtou8? A fix in kstrtou8 could 
be more appropriate, but we don't know how many other kernel parts depend 
on this "skip plus" behavior...

Mikulas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ