lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 22 Dec 2017 19:34:16 +1100
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Eric Biggers <ebiggers3@...il.com>
Cc:     linux-crypto@...r.kernel.org, Martin Willi <martin@...ongswan.org>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        davem@...emloft.net, Eric Biggers <ebiggers@...gle.com>,
        stable@...r.kernel.org
Subject: Re: [PATCH] crypto: chacha20poly1305 - validate the digest size

On Mon, Dec 11, 2017 at 12:15:17PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@...gle.com>
> 
> If the rfc7539 template was instantiated with a hash algorithm with
> digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest
> overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the
> subsequent memory, including 'cryptlen'.  This caused a crash during
> crypto_skcipher_decrypt().
> 
> Fix it by, when instantiating the template, requiring that the
> underlying hash algorithm has the digest size expected for Poly1305.
> 
> Reproducer:
> 
>     #include <linux/if_alg.h>
>     #include <sys/socket.h>
>     #include <unistd.h>
> 
>     int main()
>     {
>             int algfd, reqfd;
>             struct sockaddr_alg addr = {
>                     .salg_type = "aead",
>                     .salg_name = "rfc7539(chacha20,sha256)",
>             };
>             unsigned char buf[32] = { 0 };
> 
>             algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
>             bind(algfd, (void *)&addr, sizeof(addr));
>             setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf));
>             reqfd = accept(algfd, 0, 0);
>             write(reqfd, buf, 16);
>             read(reqfd, buf, 16);
>     }
> 
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
> Cc: <stable@...r.kernel.org> # v4.2+
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists