Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp684970pxb;
        Tue, 5 Apr 2022 18:42:59 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwajakvXWCLolSWx3sJkiu9GRxqKjJGnGeXZ8C45HAjZinALvQxJx+MUAeZozZHdFN//Q9r
X-Received: by 2002:a05:6402:4407:b0:419:3859:697e with SMTP id y7-20020a056402440700b004193859697emr6370591eda.400.1649209379200;
        Tue, 05 Apr 2022 18:42:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649209379; cv=none;
        d=google.com; s=arc-20160816;
        b=V4ij6l4gTGn2xQL0aY+tmx0aPj+eP76clmQ90G8TX758exQIigIDyZKl541GgCrypy
         gfU4jh1cTmVvOTWEwRvU6iiSDnBEioXzmXk287QTKqowyIN7qqfDDxdlEUeRho+oc0Rv
         KNSRT3zv54neEHHTSxmtEHKUUQeaN0NyXRkfRG+whxesE6f/sNxZIUEjMRLhPpwGyPAd
         o6bmzRqwEU4zqdgydfWfBf1dMQepDZdvqHoc/Hr6TOphwZY+WnOCp1g2CdqeYwWaE8B4
         6sV5vkupCGBHgnw6Xm3K0/NN0V1RfWmhkeAXVa3kEs/0FMAhIzWn/AiDhw07APp7Stt6
         6prg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=NXQ8kYaoWPj1mJo00s5AmGngIsqbCYaAoGdCmw48Nxc=;
        b=ViUNUv8Vlh/LAfRNDUupF0XWP4k4Ryr3S1z7rTBMdZAPzyMDoylUljN0AEjiIAmGNO
         MGdyT7zoeypEVecJ55Y8B4Jp+EWWTbhC+DgomxXS9we4PI50/PhdQl5EG1SNzGDnKZzg
         P8iUJjspygmdlDpKgUrBYfcIiMjVsZtg8ti2cQUvgN7/cDbRrhw+51K9NraninOpkILQ
         eYZzhayHUj/ghPR2qOWgqSGSrk2ZtsPI1KPoBrQBY+PrdLV+Ws6qtjJ3irGcm4/ruBzb
         GNGKmWrmjy2/DUmT6eddjVWIoLaWIvdSwwT5gzZe5Sj8jFmiUnn5V3J3O1L1snub3uIs
         AO6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lfPnZZzE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id r26-20020a056402019a00b00418c2b5bf0csi9559104edv.494.2022.04.05.18.42.32;
        Tue, 05 Apr 2022 18:42:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lfPnZZzE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235090AbiDEH7X (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Tue, 5 Apr 2022 03:59:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47094 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233575AbiDEHsA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 03:48:00 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C128C281;
        Tue,  5 Apr 2022 00:46:02 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 5486BB81BA4;
        Tue,  5 Apr 2022 07:46:01 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id B4A52C3410F;
        Tue,  5 Apr 2022 07:45:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649144760;
        bh=jLJHdncUYIgkXzg4FNI//hgrXP1ygYahSZ/ZDNplSPI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=lfPnZZzE9L01obbt4bCXJrRUyUVhENl0f/IiDBiEpVVjQURWnPziIzh0uMFHpZI0t
         dUasT5zfA5IZfMwL6Wh3qoCxUzbgGTpyDlxk0sH2r/z8kAOiCrTTxeLpQVAIn9DJ2k
         zb1/DC3hNkBBsBJfAVKIGeHa/mDQtS0klwN72SRM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Vitaly Chikunov <vt@altlinux.org>,
        Eric Biggers <ebiggers@google.com>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 5.17 0161/1126] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
Date:   Tue,  5 Apr 2022 09:15:08 +0200
Message-Id: <20220405070412.318064223@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070407.513532867@linuxfoundation.org>
References: <20220405070407.513532867@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

commit e316f7179be22912281ce6331d96d7c121fb2b17 upstream.

Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before.  To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.

Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size.  This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.

(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)

It is unclear whether the resulting scheme has any useful security
properties.

Fix this by correctly extracting the hash from the scatterlist.

Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(stru
 			   sg_nents_for_len(req->src,
 					    req->src_len + req->dst_len),
 			   req_ctx->out_buf + ctx->key_size,
-			   req->dst_len, ctx->key_size);
+			   req->dst_len, req->src_len);
 	/* Do the actual verification step. */
 	if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
 		   req->dst_len) != 0)