From patchwork Mon Mar 21 13:26:09 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nicolai Stange X-Patchwork-Id: 8632921 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: X-Original-To: patchwork-linux-crypto@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 44F17C0554 for ; Mon, 21 Mar 2016 13:27:14 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 6443A20304 for ; Mon, 21 Mar 2016 13:27:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8C79520306 for ; Mon, 21 Mar 2016 13:27:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755996AbcCUN0w (ORCPT ); Mon, 21 Mar 2016 09:26:52 -0400 Received: from mail-wm0-f67.google.com ([74.125.82.67]:36359 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755869AbcCUN0q (ORCPT ); Mon, 21 Mar 2016 09:26:46 -0400 Received: by mail-wm0-f67.google.com with SMTP id l68so21877022wml.3; Mon, 21 Mar 2016 06:26:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7S9JGAPqvEpbNG5Ah1K3ymj1N7ppKwa5ZimBdNvyJCk=; b=X2CqrmP+9dp2mFegsDoG0hs4cVhii39M9Kckx2ycCN4XWRjWQTwGQ1gzKlhe+lVf2g GgJKN8kX/cMNCB6VVPufBakP81pMp3p+N5ZSHUqHPqzFOZdAV6CS6wkeQJOqqWb+oQcr s4x8FOQF82jMQl66QAaCPAA8vGPxNg0+RrtlfdZ1T0YUB87Xxb2etNgET+AvXMG713ka AyxwUjQCNxKEWgpXJXZjMpEfsPWt+9QmmftJ66/H6CMCva115WmwXb8Xt50K1ufJ2/UL cpkVfH31AjtstU+8e+fXszP8ULKQzsOZrNJnS2nfEERcq13OZiqryer1VnGJWVvLEDcM 6dlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7S9JGAPqvEpbNG5Ah1K3ymj1N7ppKwa5ZimBdNvyJCk=; b=QdKcv3+ldSZcBogBVxYCcIItp8n9ClBvEk8bYGyFMBrWoJQknmhF0yacXTptdMFj2l j0RgiPPtF9xnLscimqT+KR1E1eMNDR06rBL6+QuQ9aK7HQCxeKGaMB0XMhPgoCd/x8n2 /N/0jMr48aSrc65WXsdPLd/GupxZToBVEwyPdYHN6lCwlhHLU4XLGnXe7DbGdzu7xO0M JAVVbwAARy5y4M6kUwUfpEEJDDiMC/a/c+ncJT+np43+KyGd1AW7rIxGtzWkPbzu3Qpg l02uOozQ9jyrMx2cniR8CWgeA1UphZSJNpin0uC8IhpDwRMeJE+h8dJc3BTLEx16EDe2 sy5A== X-Gm-Message-State: AD7BkJKOdOOjjuvY+rJFhKR5GDkH8hyghOVuNAszqAVT/zPkxonsTISAOtqyPUBYgB1+ig== X-Received: by 10.28.92.195 with SMTP id q186mr13360911wmb.37.1458566805365; Mon, 21 Mar 2016 06:26:45 -0700 (PDT) Received: from localhost (x55b18fc0.dyn.telefonica.de. [85.177.143.192]) by smtp.gmail.com with ESMTPSA id i1sm25258605wjs.45.2016.03.21.06.26.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Mar 2016 06:26:44 -0700 (PDT) From: Nicolai Stange To: Herbert Xu , "David S. Miller" Cc: Tadeusz Struk , Michal Marek , Andrzej Zaborowski , Stephan Mueller , Arnd Bergmann , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, Nicolai Stange Subject: [PATCH RESEND v2 08/14] lib/mpi: mpi_read_buffer(): fix buffer overflow Date: Mon, 21 Mar 2016 14:26:09 +0100 Message-Id: <1458566775-5239-9-git-send-email-nicstange@gmail.com> X-Mailer: git-send-email 2.7.3 In-Reply-To: <1458566775-5239-1-git-send-email-nicstange@gmail.com> References: <1458566775-5239-1-git-send-email-nicstange@gmail.com> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Currently, mpi_read_buffer() writes full limbs to the output buffer and moves memory around to purge leading zero limbs afterwards. However, with commit 9cbe21d8f89d ("lib/mpi: only require buffers as big as needed for the integer") the caller is only required to provide a buffer large enough to hold the result without the leading zeros. This might result in a buffer overflow for small MP numbers with leading zeros. Fix this by coping the result to its final destination within the output buffer and not copying the leading zeros at all. Fixes: 9cbe21d8f89d ("lib/mpi: only require buffers as big as needed for the integer") Signed-off-by: Nicolai Stange --- lib/mpi/mpicoder.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c index a999ee1..27582e2 100644 --- a/lib/mpi/mpicoder.c +++ b/lib/mpi/mpicoder.c @@ -201,16 +201,9 @@ int mpi_read_buffer(MPI a, uint8_t *buf, unsigned buf_len, unsigned *nbytes, #else #error please implement for this limb size. #endif - memcpy(p, &alimb, BYTES_PER_MPI_LIMB); - p += BYTES_PER_MPI_LIMB; - if (lzeros > 0) { - mpi_limb_t *limb1 = (void *)p - sizeof(alimb); - mpi_limb_t *limb2 = (void *)p - sizeof(alimb) - + lzeros; - *limb1 = *limb2; - p -= lzeros; - lzeros -= sizeof(alimb); - } + memcpy(p, &alimb + lzeros, BYTES_PER_MPI_LIMB - lzeros); + p += BYTES_PER_MPI_LIMB - lzeros; + lzeros = 0; } return 0; }