Skip to content

Commit 976d258

Browse files
committed
crypto: authencesn - reject short ahash digests during instance creation
jira KERNEL-949 Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10 commit-author Yucheng Lu <kanolyc@gmail.com> commit 5db6ef9 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5db6ef98.failed authencesn requires either a zero authsize or an authsize of at least 4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of high-order sequence number data at the end of the authenticated data. While crypto_authenc_esn_setauthsize() already rejects explicit non-zero authsizes in the range 1..3, crypto_authenc_esn_create() still copied auth->digestsize into inst->alg.maxauthsize without validating it. The AEAD core then initialized the tfm's default authsize from that value. As a result, selecting an ahash with digest size 1..3, such as cbcmac(cipher_null), exposed authencesn instances whose default authsize was invalid even though setauthsize() would have rejected the same value. AF_ALG could then trigger the ESN tail handling with a too-short tag and hit an out-of-bounds access. Reject authencesn instances whose ahash digest size is in the invalid non-zero range 1..3 so that no tfm can inherit an unsupported default authsize. Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver") Cc: stable@kernel.org Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Co-developed-by: Yuan Tan <yuantan098@gmail.com> Signed-off-by: Yuan Tan <yuantan098@gmail.com> Suggested-by: Xin Liu <bird@lzu.edu.cn> Tested-by: Yuhang Zheng <z1652074432@gmail.com> Reviewed-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Yucheng Lu <kanolyc@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> (cherry picked from commit 5db6ef9) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # crypto/authencesn.c
1 parent d549fdc commit 976d258

1 file changed

Lines changed: 133 additions & 0 deletions

File tree

Lines changed: 133 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,133 @@
1+
crypto: authencesn - reject short ahash digests during instance creation
2+
3+
jira KERNEL-949
4+
Rebuild_History Non-Buildable kernel-4.18.0-553.123.1.el8_10
5+
commit-author Yucheng Lu <kanolyc@gmail.com>
6+
commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0
7+
Empty-Commit: Cherry-Pick Conflicts during history rebuild.
8+
Will be included in final tarball splat. Ref for failed cherry-pick at:
9+
ciq/ciq_backports/kernel-4.18.0-553.123.1.el8_10/5db6ef98.failed
10+
11+
authencesn requires either a zero authsize or an authsize of at least
12+
4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of
13+
high-order sequence number data at the end of the authenticated data.
14+
15+
While crypto_authenc_esn_setauthsize() already rejects explicit
16+
non-zero authsizes in the range 1..3, crypto_authenc_esn_create()
17+
still copied auth->digestsize into inst->alg.maxauthsize without
18+
validating it. The AEAD core then initialized the tfm's default
19+
authsize from that value.
20+
21+
As a result, selecting an ahash with digest size 1..3, such as
22+
cbcmac(cipher_null), exposed authencesn instances whose default
23+
authsize was invalid even though setauthsize() would have rejected the
24+
same value. AF_ALG could then trigger the ESN tail handling with a
25+
too-short tag and hit an out-of-bounds access.
26+
27+
Reject authencesn instances whose ahash digest size is in the invalid
28+
non-zero range 1..3 so that no tfm can inherit an unsupported default
29+
authsize.
30+
31+
Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver")
32+
Cc: stable@kernel.org
33+
Reported-by: Yifan Wu <yifanwucs@gmail.com>
34+
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
35+
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
36+
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
37+
Suggested-by: Xin Liu <bird@lzu.edu.cn>
38+
Tested-by: Yuhang Zheng <z1652074432@gmail.com>
39+
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
40+
Signed-off-by: Yucheng Lu <kanolyc@gmail.com>
41+
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
42+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
43+
(cherry picked from commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0)
44+
Signed-off-by: Jonathan Maple <jmaple@ciq.com>
45+
46+
# Conflicts:
47+
# crypto/authencesn.c
48+
diff --cc crypto/authencesn.c
49+
index a7c345f88223,522df41365d8..000000000000
50+
--- a/crypto/authencesn.c
51+
+++ b/crypto/authencesn.c
52+
@@@ -411,55 -366,40 +411,65 @@@ static void crypto_authenc_esn_free(str
53+
static int crypto_authenc_esn_create(struct crypto_template *tmpl,
54+
struct rtattr **tb)
55+
{
56+
- u32 mask;
57+
+ struct crypto_attr_type *algt;
58+
struct aead_instance *inst;
59+
- struct authenc_esn_instance_ctx *ctx;
60+
- struct skcipher_alg_common *enc;
61+
struct hash_alg_common *auth;
62+
struct crypto_alg *auth_base;
63+
+ struct skcipher_alg *enc;
64+
+ struct authenc_esn_instance_ctx *ctx;
65+
+ const char *enc_name;
66+
int err;
67+
68+
- err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_AEAD, &mask);
69+
- if (err)
70+
- return err;
71+
+ algt = crypto_get_attr_type(tb);
72+
+ if (IS_ERR(algt))
73+
+ return PTR_ERR(algt);
74+
+
75+
+ if ((algt->type ^ CRYPTO_ALG_TYPE_AEAD) & algt->mask)
76+
+ return -EINVAL;
77+
+
78+
+ auth = ahash_attr_alg(tb[1], CRYPTO_ALG_TYPE_HASH,
79+
+ CRYPTO_ALG_TYPE_AHASH_MASK |
80+
+ crypto_requires_sync(algt->type, algt->mask));
81+
+ if (IS_ERR(auth))
82+
+ return PTR_ERR(auth);
83+
+
84+
+ auth_base = &auth->base;
85+
+
86+
++<<<<<<< HEAD
87+
+ enc_name = crypto_attr_alg_name(tb[2]);
88+
+ err = PTR_ERR(enc_name);
89+
+ if (IS_ERR(enc_name))
90+
+ goto out_put_auth;
91+
92+
inst = kzalloc(sizeof(*inst) + sizeof(*ctx), GFP_KERNEL);
93+
+ err = -ENOMEM;
94+
if (!inst)
95+
- return -ENOMEM;
96+
- ctx = aead_instance_ctx(inst);
97+
+ goto out_put_auth;
98+
99+
- err = crypto_grab_ahash(&ctx->auth, aead_crypto_instance(inst),
100+
- crypto_attr_alg_name(tb[1]), 0, mask);
101+
- if (err)
102+
- goto err_free_inst;
103+
- auth = crypto_spawn_ahash_alg(&ctx->auth);
104+
- auth_base = &auth->base;
105+
+ ctx = aead_instance_ctx(inst);
106+
107+
+ err = crypto_init_ahash_spawn(&ctx->auth, auth,
108+
+ aead_crypto_instance(inst));
109+
++=======
110+
+ if (auth->digestsize > 0 && auth->digestsize < 4) {
111+
+ err = -EINVAL;
112+
+ goto err_free_inst;
113+
+ }
114+
+
115+
+ err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst),
116+
+ crypto_attr_alg_name(tb[2]), 0, mask);
117+
++>>>>>>> 5db6ef984771 (crypto: authencesn - reject short ahash digests during instance creation)
118+
if (err)
119+
goto err_free_inst;
120+
- enc = crypto_spawn_skcipher_alg_common(&ctx->enc);
121+
+
122+
+ crypto_set_skcipher_spawn(&ctx->enc, aead_crypto_instance(inst));
123+
+ err = crypto_grab_skcipher(&ctx->enc, enc_name, 0,
124+
+ crypto_requires_sync(algt->type,
125+
+ algt->mask));
126+
+ if (err)
127+
+ goto err_drop_auth;
128+
+
129+
+ enc = crypto_spawn_skcipher_alg(&ctx->enc);
130+
131+
err = -ENAMETOOLONG;
132+
if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
133+
* Unmerged path crypto/authencesn.c

0 commit comments

Comments
 (0)