[v2] crypto/testmgr: don't copy from source IV too much

Message ID	1441879915-5362-1-git-send-email-aryabinin@virtuozzo.com (mailing list archive)
State	Accepted
Delegated to:	Herbert Xu
Headers	show Return-Path: <linux-crypto-owner@kernel.org> From: Andrey Ryabinin <aryabinin@virtuozzo.com> To: Herbert Xu <herbert@gondor.apana.org.au>, "David S. Miller" <davem@davemloft.net>, <linux-crypto@vger.kernel.org> CC: <linux-kernel@vger.kernel.org>, Andrey Ryabinin <aryabinin@virtuozzo.com> Subject: [PATCH v2] crypto/testmgr: don't copy from source IV too much Date: Thu, 10 Sep 2015 13:11:55 +0300 Message-ID: <1441879915-5362-1-git-send-email-aryabinin@virtuozzo.com> In-Reply-To: <20150903132057.GA31317@gondor.apana.org.au> References: <20150903132057.GA31317@gondor.apana.org.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk

Message ID

1441879915-5362-1-git-send-email-aryabinin@virtuozzo.com (mailing list archive)

State

Accepted

Delegated to:

Herbert Xu

Headers

From: Andrey Ryabinin <aryabinin@virtuozzo.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>, <linux-crypto@vger.kernel.org>
CC: <linux-kernel@vger.kernel.org>, Andrey Ryabinin <aryabinin@virtuozzo.com>
Subject: [PATCH v2] crypto/testmgr: don't copy from source IV too much
Date: Thu, 10 Sep 2015 13:11:55 +0300
Message-ID: <1441879915-5362-1-git-send-email-aryabinin@virtuozzo.com>
In-Reply-To: <20150903132057.GA31317@gondor.apana.org.au>
References: <20150903132057.GA31317@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk

Commit Message

Andrey Ryabinin Sept. 10, 2015, 10:11 a.m. UTC

While the destination buffer 'iv' is MAX_IVLEN size,
the source 'template[i].iv' could be smaller, thus
memcpy may read read invalid memory.
Use crypto_skcipher_ivsize() to get real ivsize
and pass it to memcpy.

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
---
 crypto/testmgr.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

Comments

Herbert Xu Sept. 11, 2015, 2:14 p.m. UTC | #1

On Thu, Sep 10, 2015 at 01:11:55PM +0300, Andrey Ryabinin wrote:
> While the destination buffer 'iv' is MAX_IVLEN size,
> the source 'template[i].iv' could be smaller, thus
> memcpy may read read invalid memory.
> Use crypto_skcipher_ivsize() to get real ivsize
> and pass it to memcpy.
> 
> Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>

Patch applied.  Thanks!

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 35c2de1..fa18753 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -940,6 +940,7 @@  static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
 	char *xbuf[XBUFSIZE];
 	char *xoutbuf[XBUFSIZE];
 	int ret = -ENOMEM;
+	unsigned int ivsize = crypto_skcipher_ivsize(tfm);
 
 	if (testmgr_alloc_buf(xbuf))
 		goto out_nobuf;
@@ -975,7 +976,7 @@  static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
 			continue;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, ivsize);
 		else
 			memset(iv, 0, MAX_IVLEN);
 
@@ -1051,7 +1052,7 @@  static int __test_skcipher(struct crypto_skcipher *tfm, int enc,
 			continue;
 
 		if (template[i].iv)
-			memcpy(iv, template[i].iv, MAX_IVLEN);
+			memcpy(iv, template[i].iv, ivsize);
 		else
 			memset(iv, 0, MAX_IVLEN);