Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933996AbcDLRCM (ORCPT <rfc822;w@1wt.eu>);
	Tue, 12 Apr 2016 13:02:12 -0400
Received: from mail-bl2on0076.outbound.protection.outlook.com ([65.55.169.76]:50161
	"EHLO na01-bl2-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S932900AbcDLRCK (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 12 Apr 2016 13:02:10 -0400
Authentication-Results: gondor.apana.org.au; dkim=none (message not signed)
 header.d=none;gondor.apana.org.au; dmarc=none action=none
 header.from=amd.com;
Subject: Re: [PATCH 4.5 079/238] crypto: ccp - Dont assume export/import areas
 are aligned
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Ben Hutchings <ben@decadent.org.uk>
References: <20160410183456.398741366@linuxfoundation.org>
 <20160410183500.908546902@linuxfoundation.org>
 <1460426212.25201.98.camel@decadent.org.uk> <20160412142841.GH7996@kroah.com>
CC: <linux-kernel@vger.kernel.org>, <stable@vger.kernel.org>,
        Herbert Xu <herbert@gondor.apana.org.au>
From: Tom Lendacky <thomas.lendacky@amd.com>
Message-ID: <570D29DD.5000001@amd.com>
Date: Tue, 12 Apr 2016 12:01:17 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <20160412142841.GH7996@kroah.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [165.204.77.1]
X-ClientProxiedBy: AM2PR09CA0057.eurprd09.prod.outlook.com (10.160.228.153) To
 BY2PR1201MB1111.namprd12.prod.outlook.com (10.164.168.19)
X-MS-Office365-Filtering-Correlation-Id: c60352c4-0ab2-4283-87dd-08d362f42d9d
X-Microsoft-Exchange-Diagnostics: 1;BY2PR1201MB1111;2:LByuaoPP1QyIv8pR9M5DaUG2Kig8OuMAZQ8lZ9/tQz5Ykv3sNrUGEh7y50o4BXGRcEWDvuTeLQ2xntD2DrJFKnBpomg9e8ejXvuoyA1b7GCT9mUQI9ZF4JpgJ2MFWmFQo1zqBoEry+MOroqmvMAm3fxHDbWsEQoZ3830FaQC07PAtw08AqGs01v3Pn5qoWZO;3:c//wJ7QMk34KAQ2Iu1ubH+ENJANexaAU2B6FiqoYdMw1VJzLOI7NFUrU5PLP4MKuK8tsfIJl2ZJVf9ZOyaVNhyrpyC/0oM4loZZ17ndNeaQqSBtXW6sB10syJGfLjFA9;25:osy9BRLgQsdhGYTjc9iN5B6eecpS4IlK3BsBNvpCXTM76r+04rdt4q6/B/rIa18kJwAG6XiUVCDwOZEpILKOj9Syv+dx18HzN52ayAh+1dtcqTXw61+IuwXiwKXp/cP1F+9JLDjBkwml+YYAtJQaXVP3WshzWJjUa/0MrZrIGxCOyLIBs07B3Mdv6DFdpNAoK/OEkWKA+oV5HyLhnuIXtdnP1CrXQ+M5qjOMzXE9VvaxIgKG27J0WrgwykOw2vAmlWE8SpUZevpEVBgurRkJdB6HBGcKp0t1rMvzQU6HxuAFRvO++wXQP9NME2ZRMUftxA0QHD3bkK6fAYi0v8Li5g==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR1201MB1111;
X-Microsoft-Exchange-Diagnostics: 1;BY2PR1201MB1111;20:TKIlsFb2K+TA2cBnl/4VXX2HbbYunlcEams8147BnWIzRqz/10f6IBiyn4CcCacsGjmsXTF7UBzTL7IvANDGwBpjK9NHVYu2sYlRSAzXYpeJgPxMjmPhpV/7fG21hXVmsTB7owiP75gZnuwFoZ8DuUniJwoizpTguxFxnAdmWealFVw0EnP1nb0CxDT/qqifNVquDJjTRJ4ibMxcq2OvDPdf+QC4xyrtWRg/Vtz/laU/t2AKmUi4eeM8hlNEY6m86+YiSB7aFV/qMUmeD5y1KRVPJVQfh3a111IKQGNmnf4SijoJVcpUFbDrXHpBugtkA58nD2X6cb1wTtsEfE1ex8Ribw4v7BOYc7WiDX/oXlomfdme+fdB7hkBB7zZ+RLPDyY2YXMgAIjBwT430JEBHXtYK6dcK1ww/LXjUouovmWHKKV+m5NKrdFmbCR4VsXHBZhc3EgRUodcyPRiZAlBGQIwkNZpK11tZYWLAIgmh86+KwcJyQrj0JqH240cbKjm;4:70Ld6xc/aogelBuyAIp2SDmc/RimUXYn4jvUq4sA+MEPgX/JNXRCC/QrtvbqFmnuHwFaW2AeZWkBBuVuRUQE0/U/PMUS1Ik/zRoEwpq9J9L5Z+Al3rcyuj/EsiqM9aZ3iJY8EDRrNchOjhc8NDo2z2/kfhEVIJemvkTI2wbioXXwQ25AFTHDK2u2DGZXBhDKlVIhwYEJoeB82raZdAyrlu3toNFPExzYzTcyS5VZiGpVIgfO5OkydzKmg11EYmURIy969izFPVrzwBh28zHO+r146I7tt3EGcDKkzOqLXFm94Mm805BXGqZqZ63ciOF7zGdb6Y2z5ot7Q5SxGSKAjvbF2t76+Grhj7cO5Zg0+oHmvu9pUlpV5B5ZRWMuiBx+
X-Microsoft-Antispam-PRVS: <BY2PR1201MB111195F39729CFDC55E038B8EC950@BY2PR1201MB1111.namprd12.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046);SRVR:BY2PR1201MB1111;BCL:0;PCL:0;RULEID:;SRVR:BY2PR1201MB1111;
X-Forefront-PRVS: 0910AAF391
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6049001)(6009001)(377424004)(377454003)(24454002)(42186005)(92566002)(189998001)(64126003)(5001770100001)(36756003)(86362001)(23746002)(5004730100002)(65956001)(87266999)(50986999)(50466002)(54356999)(76176999)(33656002)(5008740100001)(19580395003)(6116002)(3846002)(586003)(81166005)(93886004)(1096002)(2950100001)(80316001)(65816999)(65806001)(66066001)(83506001)(77096005)(47776003)(230700001)(4326007)(164054004)(2906002);DIR:OUT;SFP:1101;SCL:1;SRVR:BY2PR1201MB1111;H:[10.236.18.82];FPR:;SPF:None;MLV:sfv;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?Windows-1252?Q?1;BY2PR1201MB1111;23:vWC9ZHtulEJuHUvvNpEtNMmZD3c9M9mVMfj?=
 =?Windows-1252?Q?mPrfsg1FC+JuMix47r1KtN1sFCNdbiKYxR7jHVoqeDzQnZOqbthEmkGR?=
 =?Windows-1252?Q?TAAynkD0mGMeKTrA3tznOdZ/E7lxKvGKzLQWTxVvbmZpVsZd6NfqffaY?=
 =?Windows-1252?Q?lhiuDRQWxVC3FPKoKKdrhy6MzbnjRTuBuHV8UCx/wjdVbuFy9LkAQucm?=
 =?Windows-1252?Q?lqcQGDp0E6HqGTLnFs4h94SEdE0ierRLr8l7z/VLla5ouwwDycE4GjQb?=
 =?Windows-1252?Q?BBboxlPQpwHklDqZDs6B9IEEUcUM3nfK1yr4ybkwacmDIB2RM3/oiuxx?=
 =?Windows-1252?Q?JkEBwPFnDXFv6R+8EleVlPH2+r5dhk3RsvrNrjd419ZLizu2UujGi9nl?=
 =?Windows-1252?Q?b41oucPnmSwGEopJ7sJl9fgErGb/i1VRuKXDrX5vRbs2ZYJSPvd6kB1S?=
 =?Windows-1252?Q?/YX39AKgCU2g8rfv01XlqTwZ25ughFwQ64aby0SoBN/jdJKFsaSeshZk?=
 =?Windows-1252?Q?HlAnx+u3vgneH4Vu53mp+VtAVi+g+jBZX7M/pRFuo9NA+KcqFdh14zxj?=
 =?Windows-1252?Q?OSaR5tw3IoINjeTjwJ6HgM8UeyWF8L3laPmBpBQZn3obrlRDzfet2/w+?=
 =?Windows-1252?Q?IPyjK/nw8MMD4dndD8pplGMFP8lUuCXQ7lHX6FcXHjkAwrcqBfwkkmfA?=
 =?Windows-1252?Q?aJxlmnVTHNBe1TId3UwPjmkGtX//Vri4/sQOFNvwd3H/ClM/+bM5RAs+?=
 =?Windows-1252?Q?Bpq3J/xt1ZlYd2+RxLCmfVBjifwWQovrzSf7HgLVe+ybHN0NAzSoTR2E?=
 =?Windows-1252?Q?9VGWcev4G+M0ghkUXviJjbbgcsQK5cnyPHgQ2kbmt4gj6QRWY74KtylZ?=
 =?Windows-1252?Q?5qPO8jvCvx0G9w1VxpmOukbhf01xLnvvQiypQu3Iw6Bf28LGjFYsOPhr?=
 =?Windows-1252?Q?MGOBlPCHIU0wLtCZw4dW29jv5YMXqxbYjSvbhiIpRA+H0q12UTd/s/Zb?=
 =?Windows-1252?Q?UZ+28WP5b/rGhpBt5UvHMsZo2Rs8B5p4l/2kTNTY+BvqRWips/zicUn8?=
 =?Windows-1252?Q?2bpciZU8A71mMY2KCbvZEkXD5EhDghsirkkgr++cvzL9FjeM4jFZwYm3?=
 =?Windows-1252?Q?tB8xZ+vW4muca1RwCEJtM+2v7s8kuK+PftF0mtzwr+UOMzpV3dpl0Ljs?=
 =?Windows-1252?Q?KsZieKrPrgA=3D=3D?=
X-Microsoft-Exchange-Diagnostics: 1;BY2PR1201MB1111;5:5KeCChrw5bW1CV1engaiE7QdVEtqc0RudG3cJFcHDx00jV/tGSrJTCUnnB3jPfNnKcEYaJMfytsAb3PbGqNx53jCn+k+poqChH2FUVskTs6W0bR1NKdupC5/bKDrvuk5Deg97Ak4BWVbyspcU0O9mg==;24:FXw48wPBq99oyN6F5gtXvTbXs9Y4X3oo3hSBiTi7VGPVcLxup/y9t400CSZFrD9YsthjNOckNge51km9yXsyb9ElwYFx4SHE9trXWxMAlrg=;20:kZBdqDtzhF4NK+ag0lmOVw84AxxVcY7+4hphkMY2fGJK4XeCVYHXqLiazY6yofEvn3vRgP1K7MPJO75+I8dXcswT6MyZrxQSlG0ogNQ/Nn6llZIY6Ig1MwbVAn9CrxeKXtL2nrN5Fanw4IqMIr5ngAcXAOXc2ERDzrmRl4aGCkgFRFfWaiKU0rFUjPgQc3DUvgIjTzfB53JTQ/BUd+lz8q2OGqRAPKlxwO9AQ1HOYAESuVdeU9q3sZgSMRJi8Fzj
SpamDiagnosticOutput: 1:23
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Apr 2016 17:02:04.8086 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR1201MB1111
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2587
Lines: 79

On 04/12/2016 09:28 AM, Greg Kroah-Hartman wrote:
> On Tue, Apr 12, 2016 at 02:56:52AM +0100, Ben Hutchings wrote:
>> On Sun, 2016-04-10 at 11:34 -0700, Greg Kroah-Hartman wrote:
>>> 4.5-stable review patch.  If anyone has any objections, please let me know.
>>
>> I object, because this introduces an information leak.
>>
>> [...]
>>> --- a/drivers/crypto/ccp/ccp-crypto-sha.c
>>> +++ b/drivers/crypto/ccp/ccp-crypto-sha.c
>>> @@ -210,14 +210,17 @@ static int ccp_sha_digest(struct ahash_r
>>>  static int ccp_sha_export(struct ahash_request *req, void *out)
>>>  {
>>>  	struct ccp_sha_req_ctx *rctx = ahash_request_ctx(req);
>>> -	struct ccp_sha_exp_ctx *state = out;
>>> +	struct ccp_sha_exp_ctx state;
>>
>> The structure was defined in the previous patch as:
>>
>>> +struct ccp_sha_exp_ctx {
>>> +	enum ccp_sha_type type;
>>
>> There will be padding between type and msg_bits on most architectures.
>>
>>> +	u64 msg_bits;
>>> +	unsigned int first;
>>> +
>>> +	u8 ctx[MAX_SHA_CONTEXT_SIZE];
>>> +
>>> +	unsigned int buf_count;
>>> +	u8 buf[MAX_SHA_BLOCK_SIZE];
>>
>> And more padding at the end of the structure.
>>
>>> +};
>>
>> Back to the code:
>>
>>> -	state->type = rctx->type;
>>> -	state->msg_bits = rctx->msg_bits;
>>> -	state->first = rctx->first;
>>> -	memcpy(state->ctx, rctx->ctx, sizeof(state->ctx));
>>> -	state->buf_count = rctx->buf_count;
>>> -	memcpy(state->buf, rctx->buf, sizeof(state->buf));
>>> +	state.type = rctx->type;
>>> +	state.msg_bits = rctx->msg_bits;
>>> +	state.first = rctx->first;
>>> +	memcpy(state.ctx, rctx->ctx, sizeof(state.ctx));
>>> +	state.buf_count = rctx->buf_count;
>>> +	memcpy(state.buf, rctx->buf, sizeof(state.buf));
>>> +
>>> +	/* 'out' may not be aligned so memcpy from local variable */
>>> +	memcpy(out, &state, sizeof(state));
>> [...]
>>
>> The padding was not initialised, but here we copy it to userland.
> 
> Nice catch.  Given that the user/kernel structure here doesn't seem very
> sane (implicit padding, etc.), shouldn't that be where this is fixed up
> to be a properly packed structure?  Or have padding where needed, along
> with a memset() call?

The structure is not meant for use outside the kernel - it's an opaque
blob that will be processed by the driver import function. So would it
be enough to just memset the struct ccp_sha_exp_ctx state variable to 0
before setting and copying it?  That should take care of any padding not
being initialized.

Thanks,
Tom

> 
> I'll leave this here, but will be expecting a follow-on patch to fix up
> the issues from the crypto developers.
> 
> thanks,
> 
> greg k-h
>