From patchwork Fri Jul 27 22:36:10 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 10547783
X-Patchwork-Delegate: herbert@gondor.apana.org.au
Return-Path: <linux-crypto-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 55A2513BB
	for <patchwork-linux-crypto@patchwork.kernel.org>;
 Fri, 27 Jul 2018 22:37:56 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4355E2C0E2
	for <patchwork-linux-crypto@patchwork.kernel.org>;
 Fri, 27 Jul 2018 22:37:56 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 335932C0FB; Fri, 27 Jul 2018 22:37:56 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BB1962C0E2
	for <patchwork-linux-crypto@patchwork.kernel.org>;
 Fri, 27 Jul 2018 22:37:55 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388467AbeG1ABw (ORCPT
        <rfc822;patchwork-linux-crypto@patchwork.kernel.org>);
        Fri, 27 Jul 2018 20:01:52 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:43337 "EHLO
        mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730852AbeG1ABw (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Fri, 27 Jul 2018 20:01:52 -0400
Received: by mail-pg1-f194.google.com with SMTP id v13-v6so3987386pgr.10
        for <linux-crypto@vger.kernel.org>;
 Fri, 27 Jul 2018 15:37:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=dJ1Kv1ZpbHqQ4HGD+sa/SlblkKtE5QHVeBmL/P2FP2U=;
        b=e2PF2RhjLJhBU9gs/IxllJ+A4TzlJWHD3EIkzewUzUBW6WMQA1nUWojdMRP/H6oq0R
         zlngprpoJemt1ejlRlMew5h3UWxH8CEDpKkrtv1qHROz0llfzd+rec9y4SLs+aIDWLgF
         J/IkhULbtufQBQeYbl55Oj2941/VQpM/E1a0eGMFQvFUI/p03y5aXjeixCwh71o5aiJO
         32SrodW8H/yaCqh0TZHxLZD3nBq2k+WTvaqmxuxhnspWUizkIUjNpG/o33IYpjLZsdZb
         6tLRkeOrNK4l5kobcT93ucYfuGswNJQ/dB1Fs+lXHDku+n1T49OTk8//X/jX4ZCR+VRJ
         iPCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=dJ1Kv1ZpbHqQ4HGD+sa/SlblkKtE5QHVeBmL/P2FP2U=;
        b=rY2JYd7gRLGM1thMXLP1zTUYRw9edaUDRoijE/pkox/0ljS+xw6cDrIM8fIfv1R/HE
         qxksUfocJrkavPzkJYm+z47JD3I2D/e9JlFjRxTo+aXFDx2dd3e8Zdhjcbr//JGvbNnQ
         CbOKZg/vE1Ei+GGSPIJkFJd2yNEMY4OvmX2cjhpPRcOoOO4/Lhmd2CToM8XVVuR/79TZ
         Mzv1tuW/I4CLaHSvWkgj+QOHNnlhryYtU2T2YSMMUm5lr1ZuQ6rnLjKfqtNYc95nOAVg
         AIX9bKRyxoAucP3n10XF/c6lJQeSUKPUK6wv8InP1CP0Eq+Bb7GZCKjWIbzNXQt1fS9q
         qY2w==
X-Gm-Message-State: AOUpUlEtH/pS8QD+K3Ve+JrtRCtlvjb9NwUD1kIYzVgUkC8gs4ccn2xJ
        8qUHFtauTAKLkzCq4w1NleDAGUe6
X-Google-Smtp-Source: 
 AAOMgpcPJjHpTbz+WkgAZlNNt2cVKRGWRVyTrbSEXqRhKpx+0i/pcCHDkJGoz2hegTrGEbjq3b7Ljg==
X-Received: by 2002:a63:1315:: with SMTP id
 i21-v6mr7693894pgl.147.1532731073074;
        Fri, 27 Jul 2018 15:37:53 -0700 (PDT)
Received: from ebiggers-linuxstation.kir.corp.google.com
 ([2620:15c:17:3:dc28:5c82:b905:e8a8])
        by smtp.gmail.com with ESMTPSA id
 v15-v6sm6445592pff.120.2018.07.27.15.37.52
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 27 Jul 2018 15:37:52 -0700 (PDT)
From: Eric Biggers <ebiggers3@gmail.com>
To: linux-crypto@vger.kernel.org,
        Herbert Xu <herbert@gondor.apana.org.au>
Cc: Stephan Mueller <smueller@chronox.de>,
        Eric Biggers <ebiggers@google.com>
Subject: [PATCH v2 1/2] crypto: dh - fix calculating encoded key size
Date: Fri, 27 Jul 2018 15:36:10 -0700
Message-Id: <20180727223611.208286-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.18.0.345.g5c9ce644c3-goog
MIME-Version: 1.0
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

It was forgotten to increase DH_KPP_SECRET_MIN_SIZE to include 'q_size',
causing an out-of-bounds write of 4 bytes in crypto_dh_encode_key(), and
an out-of-bounds read of 4 bytes in crypto_dh_decode_key().  Fix it, and
fix the lengths of the test vectors to match this.

Reported-by: syzbot+6d38d558c25b53b8f4ed@syzkaller.appspotmail.com
Fixes: e3fe0ae12962 ("crypto: dh - add public key verification test")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 crypto/dh_helper.c |  2 +-
 crypto/testmgr.h   | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/crypto/dh_helper.c b/crypto/dh_helper.c
index a7de3d9ce5ace..db9b2d9c58f04 100644
--- a/crypto/dh_helper.c
+++ b/crypto/dh_helper.c
@@ -14,7 +14,7 @@
 #include <crypto/dh.h>
 #include <crypto/kpp.h>
 
-#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 3 * sizeof(int))
+#define DH_KPP_SECRET_MIN_SIZE (sizeof(struct kpp_secret) + 4 * sizeof(int))
 
 static inline u8 *dh_pack_data(void *dst, const void *src, size_t size)
 {
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index 759462d65f412..173111c70746e 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -641,14 +641,14 @@ static const struct kpp_testvec dh_tv_template[] = {
 	.secret =
 #ifdef __LITTLE_ENDIAN
 	"\x01\x00" /* type */
-	"\x11\x02" /* len */
+	"\x15\x02" /* len */
 	"\x00\x01\x00\x00" /* key_size */
 	"\x00\x01\x00\x00" /* p_size */
 	"\x00\x00\x00\x00" /* q_size */
 	"\x01\x00\x00\x00" /* g_size */
 #else
 	"\x00\x01" /* type */
-	"\x02\x11" /* len */
+	"\x02\x15" /* len */
 	"\x00\x00\x01\x00" /* key_size */
 	"\x00\x00\x01\x00" /* p_size */
 	"\x00\x00\x00\x00" /* q_size */
@@ -741,7 +741,7 @@ static const struct kpp_testvec dh_tv_template[] = {
 	"\xd3\x34\x49\xad\x64\xa6\xb1\xc0\x59\x28\x75\x60\xa7\x8a\xb0\x11"
 	"\x56\x89\x42\x74\x11\xf5\xf6\x5e\x6f\x16\x54\x6a\xb1\x76\x4d\x50"
 	"\x8a\x68\xc1\x5b\x82\xb9\x0d\x00\x32\x50\xed\x88\x87\x48\x92\x17",
-	.secret_size = 529,
+	.secret_size = 533,
 	.b_public_size = 256,
 	.expected_a_public_size = 256,
 	.expected_ss_size = 256,
@@ -750,14 +750,14 @@ static const struct kpp_testvec dh_tv_template[] = {
 	.secret =
 #ifdef __LITTLE_ENDIAN
 	"\x01\x00" /* type */
-	"\x11\x02" /* len */
+	"\x15\x02" /* len */
 	"\x00\x01\x00\x00" /* key_size */
 	"\x00\x01\x00\x00" /* p_size */
 	"\x00\x00\x00\x00" /* q_size */
 	"\x01\x00\x00\x00" /* g_size */
 #else
 	"\x00\x01" /* type */
-	"\x02\x11" /* len */
+	"\x02\x15" /* len */
 	"\x00\x00\x01\x00" /* key_size */
 	"\x00\x00\x01\x00" /* p_size */
 	"\x00\x00\x00\x00" /* q_size */
@@ -850,7 +850,7 @@ static const struct kpp_testvec dh_tv_template[] = {
 	"\x5e\x5a\x64\xbd\xf6\x85\x04\xe8\x28\x6a\xac\xef\xce\x19\x8e\x9a"
 	"\xfe\x75\xc0\x27\x69\xe3\xb3\x7b\x21\xa7\xb1\x16\xa4\x85\x23\xee"
 	"\xb0\x1b\x04\x6e\xbd\xab\x16\xde\xfd\x86\x6b\xa9\x95\xd7\x0b\xfd",
-	.secret_size = 529,
+	.secret_size = 533,
 	.b_public_size = 256,
 	.expected_a_public_size = 256,
 	.expected_ss_size = 256,