Message-ID: <1460426212.25201.98.camel@decadent.org.uk>
Subject: Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import
 areas are aligned
From: Ben Hutchings <ben@decadent.org.uk>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org, Tom Lendacky <thomas.lendacky@amd.com>,
        Herbert Xu <herbert@gondor.apana.org.au>
Date: Tue, 12 Apr 2016 02:56:52 +0100
In-Reply-To: <20160410183500.908546902@linuxfoundation.org>
References: <20160410183456.398741366@linuxfoundation.org>
	 <20160410183500.908546902@linuxfoundation.org>
Content-Type: multipart/signed; micalg="pgp-sha512";
	protocol="application/pgp-signature"; boundary="=-xrFC33jUUXQ04KFZmnPd"
Mime-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 2878
Lines: 89


--=-xrFC33jUUXQ04KFZmnPd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
> 4.5-stable review patch.=C2=A0=C2=A0If anyone has any objections, please =
let me know.

I object, because this introduces an information leak.

[...]
> --- a/drivers/crypto/ccp/ccp-crypto-sha.c
> +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
> @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
> =C2=A0static int ccp_sha_export(struct ahash_request *req, void *out)
> =C2=A0{
> =C2=A0	struct ccp_sha_req_ctx *rctx =3D ahash_request_ctx(req);
> -	struct ccp_sha_exp_ctx *state =3D out;
> +	struct ccp_sha_exp_ctx state;

The structure was defined in the previous patch as:

> +struct ccp_sha_exp_ctx {
> +	enum ccp_sha_type type;

There will be padding between type and msg_bits on most architectures.

> +	u64 msg_bits;
> +	unsigned int first;
> +
> +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
> +
> +	unsigned int buf_count;
> +	u8 buf[MAX_SHA_BLOCK_SIZE];

And more padding at the end of the structure.

> +};

Back to the code:

> -	state->type =3D rctx->type;
> -	state->msg_bits =3D rctx->msg_bits;
> -	state->first =3D rctx->first;
> -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
> -	state->buf_count =3D rctx->buf_count;
> -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
> +	state.type =3D rctx->type;
> +	state.msg_bits =3D rctx->msg_bits;
> +	state.first =3D rctx->first;
> +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
> +	state.buf_count =3D rctx->buf_count;
> +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
> +
> +	/* 'out' may not be aligned so memcpy from local variable */
> +	memcpy(out, &state, sizeof(state));
[...]

The padding was not initialised, but here we copy it to userland.

Ben.

--=20
Ben Hutchings
This sentence contradicts itself - no actually it doesn't.
--=-xrFC33jUUXQ04KFZmnPd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAABCgAGBQJXDFXkAAoJEOe/yOyVhhEJR9oP/0tOdMnsSTIg/yPSalv8a1Ar
S4TVvS4sCEdn+wmscZUbG1YQD5V4wAVQ5Y55orzKGCVY1j++3zv/7p5cupuuFEZ6
JFD7WAwPkzANygZH/qFAvIdrW68Jo3ju49SXp83HBMmwBWE4EvHyN2IRjc5dK2RP
ifFY7utGp3hffj5Rfxq3crOG+y66qzBnEqZZAZPGhQ8TS3q6S5fiVV2gbHuTHczT
fi5xPV1fgA68phUkrlY6pFOm7k6AxHxL9PPQThuWysCha+8213ZF67B5VMLVoF5x
OLcI6q/HIAQlo/ZuRGbd/7HAShZ07UbKDOf58A1d5POnHWepIY5WI92KHW2hMINg
S7mtWRtqCWUyehyNx8DudrLh1vKC62Tg+UqfB2g/ELZWK7dyLH++Bmt0JwcTwqra
cO3ob1rdrPIdB+57WF9muUig8OCyaZQgT6L9iV8DJZrrKvxOpkliY8ihkra2Rini
PJtmPozgEH+/kko8WWf8aiE0geE833X3FzBkAMGBjiablEfQYmocT2ldRZUISwJi
f2o3/Qmy1rt/JK9+X81GhcTH81/JRIFyS9bEQSYPoUDAK1H3AZl0w1uTJ56dA3aL
a5NN/WFY5EqcWP6QS6rFo6EMza0ChLiw22qGm/l5g87rZq3AUmtIvQjb9YZUFJj9
a+XVpeEM4t0TcqKbgin2
=poIF
-----END PGP SIGNATURE-----

--=-xrFC33jUUXQ04KFZmnPd--