From patchwork Fri May 18 19:55:35 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wenwen Wang <wang6495@umn.edu>
X-Patchwork-Id: 10412021
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	128D3602CB for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri, 18 May 2018 19:55:58 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0213028ABE
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri, 18 May 2018 19:55:58 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E904428AC7; Fri, 18 May 2018 19:55:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7DA1228ABE
	for <patchwork-linux-crypto@patchwork.kernel.org>;
	Fri, 18 May 2018 19:55:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751897AbeERTzy (ORCPT
	<rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
	Fri, 18 May 2018 15:55:54 -0400
Received: from mta-p7.oit.umn.edu ([134.84.196.207]:56636 "EHLO
	mta-p7.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751851AbeERTzx (ORCPT
	<rfc822;linux-crypto@vger.kernel.org>);
	Fri, 18 May 2018 15:55:53 -0400
Received: from localhost (unknown [127.0.0.1])
	by mta-p7.oit.umn.edu (Postfix) with ESMTP id B36EBD1C
	for <linux-crypto@vger.kernel.org>;
	Fri, 18 May 2018 19:55:52 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p7.oit.umn.edu ([127.0.0.1])
	by localhost (mta-p7.oit.umn.edu [127.0.0.1]) (amavisd-new,
	port 10024)
	with ESMTP id 22pWhRQt92Ss for <linux-crypto@vger.kernel.org>;
	Fri, 18 May 2018 14:55:52 -0500 (CDT)
Received: from mail-it0-f70.google.com (mail-it0-f70.google.com
	[209.85.214.70])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mta-p7.oit.umn.edu (Postfix) with ESMTPS id 88DFDCEB
	for <linux-crypto@vger.kernel.org>;
	Fri, 18 May 2018 14:55:52 -0500 (CDT)
Received: by mail-it0-f70.google.com with SMTP id i130-v6so2534871iti.0
	for <linux-crypto@vger.kernel.org>;
	Fri, 18 May 2018 12:55:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google;
	h=from:to:cc:subject:date:message-id;
	bh=uAQyW5tmNLUoNV03xpqELANwWikn1RrEiPIvpHhGdHw=;
	b=c/++3ktf2L1NmVchypGHXZVCO2x8bXpT4/48Ri9skLpd03IDIU5fdwKsYV8dxfnpJa
	igHUtE+ieY9H9SVAcpr3rkxmQvdWV0pS8h5L5P3V5g5ll8u+JSreqBbbYQzsTmFA5ZGt
	MLaF4IVmP7Lkw2KF8ebOjLspKHeAn1L65MajrKTQdnc7cMAbomb9+pr39cNEyn9n4qnf
	PGhJ9JgaxHDCDU//aOdSbhCrtToHiPOFqZo03RvPFPtBaOtVa/dnHZXsmhr2G2MwLQD7
	5ZfnvhW0Qh4IiCU60MH6wIFzHBXPgnnmFg+hH6+sV66p+vZPaUrhcs9c8lPUs/ePJ5Co
	zYGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=uAQyW5tmNLUoNV03xpqELANwWikn1RrEiPIvpHhGdHw=;
	b=K95dtFh9O1s3LRW/rCKri4xM5nxPMILRzus5QhKRgg+cUwrWu1kkMXiY2QDMv+4GsJ
	woIfpPT7edGCpEVzb9G+qgLuU3Y23TbO7Khv4wuETsV5aSFpS28fYnaq4bgPZIt7WehR
	0PQVkioY1FTU6Tm1ddZaMxe+mfX00zpyTIX0ov+b6445L9VIeMvN5LPU0UZ0tBsL2nKS
	4TmI4upn+NEAEs8e46FDTVkvn9e8+j0WtBwcfch/KApqGaeckBq4JfcbbCBZuaalomoC
	jd5Kx1uYcUEy0s7S+2nmHhp7gSCPt40XaKgdQwa4+wSL42OslyFLfHukT39Gcc+o8CCf
	afeg==
X-Gm-Message-State: ALKqPwc2Oh1GjNIYtD4BX516AhFkfZwUZl9fC8YcCfJkJrJDRwBw9+Rs
	nTyWJl3zrOBelwzErnyDctVDTU6dAqdOoxtygGxZTwAfSeBME59PMJv5eJOb5QSjebiFI6A44hs
	bhY/U9UBV9/0yvnidkR4g4dK55nIp
X-Received: by 2002:a6b:c38b:: with SMTP id
	t133-v6mr11731515iof.197.1526673352211;
	Fri, 18 May 2018 12:55:52 -0700 (PDT)
X-Google-Smtp-Source: 
 AB8JxZr4gVfbKS6hVpI86BeTIZDDjDk+f2KLNtdmoBgQ6kf2+dvm7wRNW7dMUjYoCRV35fxOFhWtng==
X-Received: by 2002:a6b:c38b:: with SMTP id
	t133-v6mr11731500iof.197.1526673351995;
	Fri, 18 May 2018 12:55:51 -0700 (PDT)
Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu.
	[134.84.121.95]) by smtp.gmail.com with ESMTPSA id
	i133-v6sm4662008itf.15.2018.05.18.12.55.50
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 18 May 2018 12:55:51 -0700 (PDT)
From: Wenwen Wang <wang6495@umn.edu>
To: Wenwen Wang <wang6495@umn.edu>
Cc: Kangjie Lu <kjlu@umn.edu>, Harsh Jain <harsh@chelsio.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Atul Gupta <atul.gupta@chelsio.com>, Michael Werner <werner@chelsio.com>,
	Casey Leedom <leedom@chelsio.com>,
	linux-crypto@vger.kernel.org (open list:CXGB4 CRYPTO DRIVER (chcr)),
	linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] crypto: chtls - fix a missing-check bug
Date: Fri, 18 May 2018 14:55:35 -0500
Message-Id: <1526673338-486-1-git-send-email-wang6495@umn.edu>
X-Mailer: git-send-email 2.7.4
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

In do_chtls_setsockopt(), the tls crypto info is first copied from the
poiner 'optval' in userspace and saved to 'tmp_crypto_info'. Then the
'version' of the crypto info is checked. If the version is not as expected,
i.e., TLS_1_2_VERSION, error code -ENOTSUPP is returned to indicate that
the provided crypto info is not supported yet. Then, the 'cipher_type'
field of the 'tmp_crypto_info' is also checked to see if it is
TLS_CIPHER_AES_GCM_128. If it is, the whole struct of
tls12_crypto_info_aes_gcm_128 is copied from the pointer 'optval' and then
the function chtls_setkey() is invoked to set the key.

Given that the 'optval' pointer resides in userspace, a malicious userspace
process can race to change the data pointed by 'optval' between the two
copies. For example, a user can provide a crypto info with TLS_1_2_VERSION
and TLS_CIPHER_AES_GCM_128. After the first copy, the user can modify the
'version' and the 'cipher_type' fields to any versions and/or cipher types
that are not allowed. This way, the user can bypass the checks, inject
bad data to the kernel, cause chtls_setkey() to set a wrong key or other
issues.

This patch reuses the data copied in the first try so as to ensure these
checks will not be bypassed.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
 drivers/crypto/chelsio/chtls/chtls_main.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/chelsio/chtls/chtls_main.c b/drivers/crypto/chelsio/chtls/chtls_main.c
index 007c45c..39aab05 100644
--- a/drivers/crypto/chelsio/chtls/chtls_main.c
+++ b/drivers/crypto/chelsio/chtls/chtls_main.c
@@ -491,9 +491,13 @@ static int do_chtls_setsockopt(struct sock *sk, int optname,
 
 	switch (tmp_crypto_info.cipher_type) {
 	case TLS_CIPHER_AES_GCM_128: {
-		rc = copy_from_user(crypto_info, optval,
-				    sizeof(struct
-					   tls12_crypto_info_aes_gcm_128));
+		/* Obtain version and type from previous copy */
+		crypto_info[0] = tmp_crypto_info;
+		/* Now copy the following data */
+		rc = copy_from_user((char *)crypto_info + sizeof(*crypto_info),
+				optval + sizeof(*crypto_info),
+				sizeof(struct tls12_crypto_info_aes_gcm_128)
+				- sizeof(*crypto_info));
 
 		if (rc) {
 			rc = -EFAULT;