From patchwork Wed Jul 11 03:59:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10518747
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	578D36032C for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 11 Jul 2018 04:01:05 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 475EF28F68
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 11 Jul 2018 04:01:05 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 459E428F41; Wed, 11 Jul 2018 04:01:05 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E091C28F71
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Wed, 11 Jul 2018 04:01:04 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726160AbeGKEDU (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Wed, 11 Jul 2018 00:03:20 -0400
Received: from mail-pl0-f68.google.com ([209.85.160.68]:46562 "EHLO
	mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1725783AbeGKEDT (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Wed, 11 Jul 2018 00:03:19 -0400
Received: by mail-pl0-f68.google.com with SMTP id 30-v6so8542667pld.13
	for <linux-crypto@vger.kernel.org>;
	Tue, 10 Jul 2018 21:01:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=cKE/34y7k1TFZx0NRLCejpE1nI+BCrESq8I+Ff1ie6s=;
	b=k7PcShQQk9NuwHjatE3cmmHs6v+keVhs53X0ivoJKH68pcl9bsc+Tk3zvaHt6p3eQz
	GUJJa+e5FvNEZWnGrY/Cj1ZUNFKHIe49sxfBd1ENonfJPBgTSYuf+Gp4pAQhh/5vpl5+
	80yfUn56raERWSJrJra0iB9w59jYy6/KySO901Nhwebo849AHdOmQ/Mzegr+hxc4Q5nX
	/4p2s5wOFy3JCnOtDNeHbM6KN3C97auR0n5g8RhhFB9G7gP/Xm0p8u2XEghuXn6BixRh
	eQAgXbRZSLedUuS2v5ms66DjHwdobtf3AsEN1tjZwrBt7W5TXmRvsBBjmEyjCN6/BqBv
	1aiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=cKE/34y7k1TFZx0NRLCejpE1nI+BCrESq8I+Ff1ie6s=;
	b=Z51KgxzmP9Q6d3NLecivEkUDhoVWvcf5D2P/orztSEtneaPoLFSIroy0fYUgXa/BrH
	PEaWKD5zgoC76COJEE9ctbL3Qj38CZppmiWv00sWQF1Ba/d1aoK4WCXJlxK4zxoqutjA
	u23ZGzn7S2ihab4p1UOAv7cIxoqosetC5SKyLvJdhmeC6UIV4YdXEduflyOJcV2hh+Ov
	h4CQOr0PZqh96+xD1gUbSdyutXtEabRkmbw0y5HeKe7D/AbX/FRDDS/pKxhLwdMq36wd
	OQkvIhcdWUSpMX9QVc/TFf8/wQGVb0Ev1jfV88TOS1BJ5C+/eOOKLTzShrGP2F2v2WpP
	km5g==
X-Gm-Message-State: APt69E01DQrWgv0TZZuRL/xQfPSWKNksow0b3yDlBEVDL3sCEChkxUsZ
	J8cdNqhN59zGhKXNQs5MYtl1o7wU
X-Google-Smtp-Source: 
 AAOMgpfBF6aftzjc5/Iy3slUeHtkhScAqRxA1nwPyl4muPUDUx1uco4XKOuj7meB2E5zkBr9LsN0iQ==
X-Received: by 2002:a17:902:7106:: with SMTP id
	a6-v6mr27634967pll.28.1531281662946;
	Tue, 10 Jul 2018 21:01:02 -0700 (PDT)
Received: from sol.localdomain (c-67-185-97-198.hsd1.wa.comcast.net.
	[67.185.97.198]) by smtp.gmail.com with ESMTPSA id
	z8-v6sm31443909pfg.24.2018.07.10.21.01.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 10 Jul 2018 21:01:01 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-crypto@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Cc: Stephan Mueller <smueller@chronox.de>,
	syzkaller-bugs@googlegroups.com, Eric Biggers <ebiggers@google.com>
Subject: [PATCH] crypto: dh - fix calculating encoded key size
Date: Tue, 10 Jul 2018 20:59:05 -0700
Message-Id: <20180711035905.17809-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <0000000000008faf3f05708f99c0@google.com>
References: <0000000000008faf3f05708f99c0@google.com>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

It was forgotten to increase DH_KPP_SECRET_MIN_SIZE to include 'q_size',
causing an out-of-bounds write of 4 bytes in crypto_dh_encode_key(), and
an out-of-bounds read of 4 bytes in crypto_dh_decode_key().  Fix it.
Also add a BUG_ON() if crypto_dh_encode_key() doesn't exactly fill the
buffer, as that would have found this bug without resorting to KASAN.

Reported-by: syzbot+6d38d558c25b53b8f4ed@syzkaller.appspotmail.com
Fixes: e3fe0ae12962 ("crypto: dh - add public key verification test")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Stephan Müller <smueller@chronox.de>
---
 crypto/dh_helper.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
index a7de3d9ce5ace..87ad6e2e87644 100644
--- a/crypto/dh_helper.c
+++ b/crypto/dh_helper.c
@@ -14,7 +14,7 @@
 #include <crypto/dh.h>
 #include <crypto/kpp.h>
 
-#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 3 * sizeof(int))
+#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 4 * sizeof(int))
 
 static inline u8 *dh_pack_data(void *dst, const void *src, size_t size)
 {
@@ -61,7 +61,8 @@ int crypto_dh_encode_key(char *buf, unsigned int len, const struct dh *params)
 	ptr = dh_pack_data(ptr, params->key, params->key_size);
 	ptr = dh_pack_data(ptr, params->p, params->p_size);
 	ptr = dh_pack_data(ptr, params->q, params->q_size);
-	dh_pack_data(ptr, params->g, params->g_size);
+	ptr = dh_pack_data(ptr, params->g, params->g_size);
+	BUG_ON(ptr != (u8 *)buf + len);
 
 	return 0;
 }