[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220405070359.211588145@linuxfoundation.org>
Date: Tue, 5 Apr 2022 09:18:01 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Tadeusz Struk <tadeusz.struk@...aro.org>,
Eric Biggers <ebiggers@...gle.com>,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: [PATCH 5.16 0168/1017] crypto: rsa-pkcs1pad - fix buffer overread in pkcs1pad_verify_complete()
From: Eric Biggers <ebiggers@...gle.com>
commit a24611ea356c7f3f0ec926da11b9482ac1f414fd upstream.
Before checking whether the expected digest_info is present, we need to
check that there are enough bytes remaining.
Fixes: a49de377e051 ("crypto: Add hash param to pkcs1pad")
Cc: <stable@...r.kernel.org> # v4.6+
Cc: Tadeusz Struk <tadeusz.struk@...aro.org>
Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
crypto/rsa-pkcs1pad.c | 2 ++
1 file changed, 2 insertions(+)
--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -476,6 +476,8 @@ static int pkcs1pad_verify_complete(stru
pos++;
if (digest_info) {
+ if (digest_info->size > dst_len - pos)
+ goto done;
if (crypto_memneq(out_buf + pos, digest_info->data,
digest_info->size))
goto done;
Powered by blists - more mailing lists