| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 Dec 2023 09:32:40 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: Edward Adam Davis <eadavis@...com> Cc: syzbot+8ffb0839a24e9c6bfa76@...kaller.appspotmail.com, davem@...emloft.net, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com Subject: Re: [PATCH next] crypto: fix oob Read in arc4_crypt On Wed, Dec 20, 2023 at 11:53:55PM +0800, Edward Adam Davis wrote: > The space allocated to areq is not sufficient to access the member __ctx of > struct skcipher_request, as the space occupied by struct arc4_ctx for reading > is 1032 bytes, while the requested memory size in skcipher_recvmsg() is: > sizeof(struct af_alg_async_req) + crypto_skcipher_reqsize(tfm) = 736 bytes, > which does not include the memory required for __ctx of struct skcipher_request. > > Reported-by: syzbot+8ffb0839a24e9c6bfa76@...kaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@...com> > --- > crypto/algif_skcipher.c | 10 +++++++--- > crypto/skcipher.c | 1 - > include/crypto/internal/skcipher.h | 1 + > 3 files changed, 8 insertions(+), 4 deletions(-) I see where the real bug is. The statesize is not being passed along by ecb so that's why we end up with no memory. Cheers, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists