[PATCH v4 1/7] crypto: skcipher - handle zero sized inputs correctly

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are corner cases where skcipher_walk_aead_encrypt() may be
invoked with a zero sized input, which is not rejected by the walker
code, but results in the skcipher_walk structure to not be fully
initialized. This will leave stale values in its page and buffer
members, which will be subsequently passed to kfree() or free_page() by
skcipher_walk_done(), resulting in a crash if those routines fail to
identify them as in valid inputs.

Fix this by setting page and buffer to NULL even if the size of the
input is zero. Note that for AEAD encryption in particular, a zero sized
input could be a valid and meaningful use of the API, given the support
for associated authenticated data (AAD), which gets reflected in the
authentication tag as well.

For symmetry, apply the same fix to the plain skcipher walker code, even
though in that case, no meaningful usage scenarios are known for zero
sized inputs.

Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
---
 crypto/skcipher.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crypto/skcipher.c b/crypto/skcipher.c
index a15376245416..ed2deb031742 100644
--- a/crypto/skcipher.c
+++ b/crypto/skcipher.c
@@ -455,6 +455,8 @@ static int skcipher_walk_skcipher(struct skcipher_walk *walk,
 	walk->nbytes = 0;
 	walk->iv = req->iv;
 	walk->oiv = req->iv;
+	walk->buffer = NULL;
+	walk->page = NULL;
 
 	if (unlikely(!walk->total))
 		return 0;
@@ -511,6 +513,8 @@ static int skcipher_walk_aead_common(struct skcipher_walk *walk,
 	walk->nbytes = 0;
 	walk->iv = req->iv;
 	walk->oiv = req->iv;
+	walk->buffer = NULL;
+	walk->page = NULL;
 
 	if (unlikely(!walk->total))
 		return 0;
-- 
2.20.1




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux