ACK: [B][C][SRU][PATCH 0/1] crypto: authenc - fix parsing key with misaligned rta_len
connor.kuehl at canonical.com
Fri May 31 15:42:39 UTC 2019
On 5/22/19 10:09 PM, Po-Hsu Lin wrote:
> BugLink: https://bugs.launchpad.net/bugs/1829725
> == Justification ==
> From the commit message:
> Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
> 'enckeylen', followed by an authentication key and an encryption key.
> crypto_authenc_extractkeys() parses the key to find the inner keys.
> However, it fails to consider the case where the rtattr's payload is
> longer than 4 bytes but not 4-byte aligned, and where the key ends
> before the next 4-byte aligned boundary. In this case, 'keylen -=
> RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX. This
> causes a buffer overread and crash during crypto_ahash_setkey().
> This error can be easily reproduced with the af_alg06 test in LTP test
> suite. (Basically it's the reproducer in the commit message)
> == Fix ==
> 8f9c4693 (crypto: authenc - fix parsing key with misaligned rta_len)
> This patch can be cherry-picked into B/C, and it's already in X/D/E.
> == Test ==
> Test kernels could be found here:
> Both verified on a KVM node, this issue will no longer exist.
> == Regression potential ==
> Low, this patch just improves the checking for rtattr payload size to
> make sure it's the expected size. Also It has been upstream since 2018
> Dec. and applied in some of our kernels. No subsequent bug report was
> filed against it.
> Eric Biggers (1):
> crypto: authenc - fix parsing key with misaligned rta_len
> crypto/authenc.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
Acked-by: Connor Kuehl <connor.kuehl at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5950 bytes
Desc: not available
More information about the kernel-team