From patchwork Wed Sep 6 19:22:44 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephan Mueller X-Patchwork-Id: 9941213 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 165BB60216 for ; Wed, 6 Sep 2017 19:22:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id F0B822807B for ; Wed, 6 Sep 2017 19:22:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E58762873E; Wed, 6 Sep 2017 19:22:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1228228AE0 for ; Wed, 6 Sep 2017 19:22:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752058AbdIFTWz (ORCPT ); Wed, 6 Sep 2017 15:22:55 -0400 Received: from mail.eperm.de ([89.247.134.16]:34646 "EHLO mail.eperm.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750933AbdIFTWz (ORCPT ); Wed, 6 Sep 2017 15:22:55 -0400 Received: from positron.chronox.de (ppp-46-244-130-147.dynamic.mnet-online.de [46.244.130.147]) by mail.eperm.de (Postfix) with ESMTPA id A3FF91816074; Wed, 6 Sep 2017 21:22:52 +0200 (CEST) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: herbert@gondor.apana.org.au Cc: stable@vger.kernel.org, linux-crypto@vger.kernel.org Subject: [PATCH] crypto: authenc - cryptlen must be at least AAD len Date: Wed, 06 Sep 2017 21:22:44 +0200 Message-ID: <4634467.01PS30tDXi@positron.chronox.de> MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP With AF_ALG, AAD len and cryptlen can be set freely by unprivileged user space. The cipher implementation must therefore validate the input data for sanity. For AEAD ciphers, this implies that cryptlen must be at least as large as AAD size. This fixes a kernel crash that can be triggered via AF_ALG detected by the fuzzing test implemented with libkcapi. CC: CC: Herbert Xu Signed-off-by: Stephan Mueller --- crypto/authenc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crypto/authenc.c b/crypto/authenc.c index 875470b0e026..21e202fc32c1 100644 --- a/crypto/authenc.c +++ b/crypto/authenc.c @@ -209,6 +209,9 @@ static int crypto_authenc_encrypt(struct aead_request *req) struct scatterlist *src, *dst; int err; + if (req->assoclen > cryptlen) + return -EINVAL; + src = scatterwalk_ffwd(areq_ctx->src, req->src, req->assoclen); dst = src;