From patchwork Tue Mar 22 12:18:16 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nicolai Stange <nicstange@gmail.com>
X-Patchwork-Id: 8641961
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
X-Original-To: patchwork-linux-crypto@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id BD1F39F3D1
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Tue, 22 Mar 2016 12:18:28 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id AF77620397
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Tue, 22 Mar 2016 12:18:27 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id AD2D72038A
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Tue, 22 Mar 2016 12:18:26 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1758736AbcCVMSX (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Tue, 22 Mar 2016 08:18:23 -0400
Received: from mail-wm0-f68.google.com ([74.125.82.68]:33727 "EHLO
	mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1758702AbcCVMSV (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Tue, 22 Mar 2016 08:18:21 -0400
Received: by mail-wm0-f68.google.com with SMTP id u125so3186905wmg.0;
	Tue, 22 Mar 2016 05:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=57JYDyzfHFZ51ecgP/mDRN3Q7XDoR8fEm41ELBdxgm4=;
	b=ov2qJSl68y9lTUpntzv4bt+7p4MGf5JHRvW7i3sALuy2gP9mkvYmCJ8UGNAUJkvD5U
	4bbK8MXOxKnF3XH8V9J1xYZJzRMMHbGtuwz3t3ICP2MOe+YWE9tD3xUzGpXpN40PP/Qb
	osCIb0yXZXP6gPVn3bXk8VU1mbhWe5IZuzp9zo+k2yKZeXXKrS6NR8NU2mvnkiEfJmDv
	ZZDdPPveSJXQ5LRxUgehLHUNYebVRy4VRRTm+FhII5pD2qnKtzqWJ+cb/VMisyR/Xvph
	VFOJOXJZXKSIuo+j51AeHMnanSh7ABHVecZnIgyQ4X9yd2kOhIT0EmbfVA7ItlO+hUUu
	h6Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=57JYDyzfHFZ51ecgP/mDRN3Q7XDoR8fEm41ELBdxgm4=;
	b=igA2wc+C7Eyx7MZc2SY6CzHgnniQtUuToAtSS//zl8ArF2I21vRIwmMF7dqjzpOXLw
	dENo9opZkpkBn+SXLK5Veog5OC6iSCmS4tAdtv2MPW1/xW8AeR5ORtuv34/czXsDzyHU
	lE8MmOadzJJmxBKIyBTwKdxVolVOQyleZfeFI2RZay6pB47UHOCsLMpmWW5qhVPAsuTC
	KC6sfJeadXxDG/1sZ6qtImpIrEV0CFf875lhR103IqOj331ErwNdH5f2u9vByMRhZbxW
	A8fe1BndCy+a+Hoj7YVan1CEyBl2HzoFPbHjj1R9kBNswmEb/EKvWN4+INbZX+g89OM/
	k7+A==
X-Gm-Message-State: 
 AD7BkJJx+LlafGRBzn1v4A/ctQojNNuV5fxHpFawVokmiCj2QeuNyllr8YNVIErGodf9vA==
X-Received: by 10.28.214.6 with SMTP id n6mr20296968wmg.49.1458649099204;
	Tue, 22 Mar 2016 05:18:19 -0700 (PDT)
Received: from localhost (x55b18fc0.dyn.telefonica.de. [85.177.143.192])
	by smtp.gmail.com with ESMTPSA id
	t7sm30034379wjf.39.2016.03.22.05.18.18
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 22 Mar 2016 05:18:18 -0700 (PDT)
From: Nicolai Stange <nicstange@gmail.com>
To: Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>
Cc: Tadeusz Struk <tadeusz.struk@intel.com>, Michal Marek <mmarek@suse.com>,
	Andrzej Zaborowski <andrew.zaborowski@intel.com>,
	Stephan Mueller <smueller@chronox.de>,
	Arnd Bergmann <arnd@arndb.de>, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org, Nicolai Stange <nicstange@gmail.com>
Subject: [PATCH v3 14/14] lib/mpi: mpi_read_raw_from_sgl(): fix
	out-of-bounds buffer access
Date: Tue, 22 Mar 2016 13:18:16 +0100
Message-Id: <1458649096-1794-1-git-send-email-nicstange@gmail.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1458648768-1469-1-git-send-email-nicstange@gmail.com>
References: <1458648768-1469-1-git-send-email-nicstange@gmail.com>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Within the copying loop in mpi_read_raw_from_sgl(), the last input SGE's
byte count gets artificially extended as follows:

  if (sg_is_last(sg) && (len % BYTES_PER_MPI_LIMB))
    len += BYTES_PER_MPI_LIMB - (len % BYTES_PER_MPI_LIMB);

Within the following byte copying loop, this causes reads beyond that
SGE's allocated buffer:

  BUG: KASAN: slab-out-of-bounds in mpi_read_raw_from_sgl+0x331/0x650
                                     at addr ffff8801e168d4d8
  Read of size 1 by task systemd-udevd/721
  [...]
  Call Trace:
   [<ffffffff818c4d35>] dump_stack+0xbc/0x117
   [<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
   [<ffffffff814af5d1>] ? print_section+0x61/0xb0
   [<ffffffff814b1109>] print_trailer+0x179/0x2c0
   [<ffffffff814bc524>] object_err+0x34/0x40
   [<ffffffff814bfdc7>] kasan_report_error+0x307/0x8c0
   [<ffffffff814bf315>] ? kasan_unpoison_shadow+0x35/0x50
   [<ffffffff814bf38e>] ? kasan_kmalloc+0x5e/0x70
   [<ffffffff814c0ad1>] kasan_report+0x71/0xa0
   [<ffffffff81938171>] ? mpi_read_raw_from_sgl+0x331/0x650
   [<ffffffff814bf1a6>] __asan_load1+0x46/0x50
   [<ffffffff81938171>] mpi_read_raw_from_sgl+0x331/0x650
   [<ffffffff817f41b6>] rsa_verify+0x106/0x260
   [<ffffffff817f40b0>] ? rsa_set_pub_key+0xf0/0xf0
   [<ffffffff818edc79>] ? sg_init_table+0x29/0x50
   [<ffffffff817f4d22>] ? pkcs1pad_sg_set_buf+0xb2/0x2e0
   [<ffffffff817f5b74>] pkcs1pad_verify+0x1f4/0x2b0
   [<ffffffff81831057>] public_key_verify_signature+0x3a7/0x5e0
   [<ffffffff81830cb0>] ? public_key_describe+0x80/0x80
   [<ffffffff817830f0>] ? keyring_search_aux+0x150/0x150
   [<ffffffff818334a4>] ? x509_request_asymmetric_key+0x114/0x370
   [<ffffffff814b83f0>] ? kfree+0x220/0x370
   [<ffffffff818312c2>] public_key_verify_signature_2+0x32/0x50
   [<ffffffff81830b5c>] verify_signature+0x7c/0xb0
   [<ffffffff81835d0c>] pkcs7_validate_trust+0x42c/0x5f0
   [<ffffffff813c391a>] system_verify_data+0xca/0x170
   [<ffffffff813c3850>] ? top_trace_array+0x9b/0x9b
   [<ffffffff81510b29>] ? __vfs_read+0x279/0x3d0
   [<ffffffff8129372f>] mod_verify_sig+0x1ff/0x290
  [...]

The exact purpose of the len extension isn't clear to me, but due to
its form, I suspect that it's a leftover somehow accounting for leading
zero bytes within the most significant output limb.

Note however that without that len adjustement, the total number of bytes
ever processed by the inner loop equals nbytes and thus, the last output
limb gets written at this point. Thus the net effect of the len adjustement
cited above is just to keep the inner loop running for some more
iterations, namely < BYTES_PER_MPI_LIMB ones, reading some extra bytes from
beyond the last SGE's buffer and discarding them afterwards.

Fix this issue by purging the extension of len beyond the last input SGE's
buffer length.

Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
---
 lib/mpi/mpicoder.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
index a9f1097..747606f 100644
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -484,9 +484,6 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
 		const u8 *buffer = sg_virt(sg) + lzeros;
 		int len = sg->length - lzeros;
 
-		if  (sg_is_last(sg) && (len % BYTES_PER_MPI_LIMB))
-			len += BYTES_PER_MPI_LIMB - (len % BYTES_PER_MPI_LIMB);
-
 		for (x = 0; x < len; x++) {
 			a <<= 8;
 			a |= *buffer++;