On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch. If anyone has any objections, please let me know.
I object, because this introduces an information leak.
[...]
> --- a/drivers/crypto/ccp/ccp-crypto-sha.c
> +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
> @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
> static int ccp_sha_export(struct ahash_request *req, void *out)
> {
> struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
> - struct ccp_sha_exp_ctx *state = out;
> + struct ccp_sha_exp_ctx state;
The structure was defined in the previous patch as:
> +struct ccp_sha_exp_ctx {
> + enum ccp_sha_type type;
There will be padding between type and msg_bits on most architectures.
> + u64 msg_bits;
> + unsigned int first;
> +
> + u8 ctx[MAX_SHA_CONTEXT_SIZE];
> +
> + unsigned int buf_count;
> + u8 buf[MAX_SHA_BLOCK_SIZE];
And more padding at the end of the structure.
> +};
Back to the code:
> - state->type = rctx->type;
> - state->msg_bits = rctx->msg_bits;
> - state->first = rctx->first;
> - memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> - state->buf_count = rctx->buf_count;
> - memcpy(state->buf, rctx->buf, sizeof(state->buf));
> + state.type = rctx->type;
> + state.msg_bits = rctx->msg_bits;
> + state.first = rctx->first;
> + memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> + state.buf_count = rctx->buf_count;
> + memcpy(state.buf, rctx->buf, sizeof(state.buf));
> +
> + /* 'out' may not be aligned so memcpy from local variable */
> + memcpy(out, &state, sizeof(state));
[...]
The padding was not initialised, but here we copy it to userland.
Ben.
--
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.Attachment:
signature.asc
Description: This is a digitally signed message part