On Thu, Mar 12, 2015 at 09:17:51AM +0100, Stephan Mueller wrote: > The kernel crypto API logic requires the caller to provide the > length of (ciphertext || authentication tag) as cryptlen for the > AEAD decryption operation. Thus, the cipher implementation must > calculate the size of the plaintext output itself and cannot simply use > cryptlen. > > The RFC4106 GCM decryption operation tries to overwrite cryptlen memory > in req->dst. As the destination buffer for decryption only needs to hold > the plaintext memory but cryptlen references the input buffer holding > (ciphertext || authentication tag), the assumption of the destination > buffer length in RFC4106 GCM operation leads to a too large size. This > patch simply uses the already calculated plaintext size. > > In addition, this patch fixes the offset calculation of the AAD buffer > pointer: as mentioned before, cryptlen already includes the size of the > tag. Thus, the tag does not need to be added. With the addition, the AAD > will be written beyond the already allocated buffer. > > Note, this fixes a kernel crash that can be triggered from user space > via AF_ALG(aead) -- simply use the libkcapi test application > from [1] and update it to use rfc4106-gcm-aes. > > Using [1], the changes were tested using CAVS vectors to demonstrate > that the crypto operation still delivers the right results. > > [1] http://www.chronox.de/libkcapi.html > > CC: Tadeusz Struk <tadeusz.struk@xxxxxxxxx> > Signed-off-by: Stephan Mueller <smueller@xxxxxxxxxx> Patch applied. Thanks! -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html