summaryrefslogtreecommitdiffstats
path: root/include/crypto
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2017-12-11 12:15:17 -0800
committerHerbert Xu <herbert@gondor.apana.org.au>2017-12-22 19:02:33 +1100
commite57121d08c38dabec15cf3e1e2ad46721af30cae (patch)
tree6b7f60bfe26c74e92500c9ecf129774351a2932d /include/crypto
parentd042566d8c704e1ecec370300545d4a409222e39 (diff)
downloadlinux-stable-e57121d08c38dabec15cf3e1e2ad46721af30cae.tar.gz
linux-stable-e57121d08c38dabec15cf3e1e2ad46721af30cae.tar.bz2
linux-stable-e57121d08c38dabec15cf3e1e2ad46721af30cae.zip
crypto: chacha20poly1305 - validate the digest size
If the rfc7539 template was instantiated with a hash algorithm with digest size larger than 16 bytes (POLY1305_DIGEST_SIZE), then the digest overran the 'tag' buffer in 'struct chachapoly_req_ctx', corrupting the subsequent memory, including 'cryptlen'. This caused a crash during crypto_skcipher_decrypt(). Fix it by, when instantiating the template, requiring that the underlying hash algorithm has the digest size expected for Poly1305. Reproducer: #include <linux/if_alg.h> #include <sys/socket.h> #include <unistd.h> int main() { int algfd, reqfd; struct sockaddr_alg addr = { .salg_type = "aead", .salg_name = "rfc7539(chacha20,sha256)", }; unsigned char buf[32] = { 0 }; algfd = socket(AF_ALG, SOCK_SEQPACKET, 0); bind(algfd, (void *)&addr, sizeof(addr)); setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, sizeof(buf)); reqfd = accept(algfd, 0, 0); write(reqfd, buf, 16); read(reqfd, buf, 16); } Reported-by: syzbot <syzkaller@googlegroups.com> Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539") Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Diffstat (limited to 'include/crypto')
0 files changed, 0 insertions, 0 deletions