Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp939944pxb;
        Wed, 6 Apr 2022 04:54:07 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxOL0osEaGlS14mb9Rc/LBhJbTmkJlCuzec2D/G19StQpETzRDVfEzGGfa80ULjSfx0hDd4
X-Received: by 2002:a05:6a00:3486:b0:4fa:bb7e:b4c7 with SMTP id cp6-20020a056a00348600b004fabb7eb4c7mr8407181pfb.4.1649246047315;
        Wed, 06 Apr 2022 04:54:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649246047; cv=none;
        d=google.com; s=arc-20160816;
        b=g3V6ULksmcBWwFvROZZSLlkkmTigMvkkyOlES5X28iXmIWCWr9bEKrHvrtb7HCd5+L
         jv2FesDP9DitOpjJxuRHn2AyUZwATohHMZC/RwOUWFH7uUiu5D96dbJoAvTb728EQRXd
         Yxydk072dPuTS4ashiPCeniZjpoTHC1ei4cm0gN/lRsBouYwU63GSr0SgsMRCXYjhmcL
         KMPKPpv8herBr4L2qmM1GE2iqyhqgm9QhMrdT0IBKdly+LeGmxRhlW4CtsfQKufW4iYc
         4o12vnTg9gls15H1bVzPAlztgOtlFWXKKRmU3ti/+BB4VpYhPxdkfw0kLhckhqp1SlCG
         AYfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=NXQ8kYaoWPj1mJo00s5AmGngIsqbCYaAoGdCmw48Nxc=;
        b=R0ZGqe0JUgBIGtgWrCS5gXCMtq8iM2yrQAmLdyqlW3QaJut1gRTO2VOx2hia1YrOa6
         hyJCZ3mOLEg+s37vfLP6VLO/mYpg7u8G4rGiXj8QUCj9ruw9mLQ9woVJmhGb0HMHYMuN
         Uo+PP5x2q/obvqzx5mluRClBUk74V9Kn4pgJj9TUdOsxhbbB1nT7mAmttsK9s6NI7FEL
         ZoGDWsa4VA32aF1/tx4T1Pn9ATu6rpv0R83KXh3na8GuUuvRXCB5g8N7FBWeHNeu+Cny
         4ZVsMm5uWDgXFNvvHXjRzrEjdRGNWlcHF3VQmiacOncc8219S30arYH654rBMed5CGOw
         5WiA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pmq56trn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id d11-20020a17090ad98b00b001bd14e01f27si4393874pjv.21.2022.04.06.04.54.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 04:54:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pmq56trn;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 65CE55857F8;
	Wed,  6 Apr 2022 03:14:47 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1587891AbiDFAKn (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 20:10:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59210 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1355928AbiDEKWO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 06:22:14 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45A0DAA010;
        Tue,  5 Apr 2022 03:05:29 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id C2DE0B81C83;
        Tue,  5 Apr 2022 10:05:27 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1F958C385A1;
        Tue,  5 Apr 2022 10:05:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649153126;
        bh=jLJHdncUYIgkXzg4FNI//hgrXP1ygYahSZ/ZDNplSPI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=pmq56trnaWM/ZLl807DnxuOPUx6afykG188YNkm95olR/CmqPAjtY/7JyriasW4Ub
         Hl+fSA1FM/anTRMb4OcFCJGCYq9Mfe896e3g5vgQFRbQ5gNjpe7IXI+Bh+i6f2xs66
         0XS8sA6E+clfZHdwp2OT9pQ/WWzhKzW4va7Wk+6c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Vitaly Chikunov <vt@altlinux.org>,
        Eric Biggers <ebiggers@google.com>,
        Herbert Xu <herbert@gondor.apana.org.au>
Subject: [PATCH 5.10 110/599] crypto: rsa-pkcs1pad - correctly get hash from source scatterlist
Date:   Tue,  5 Apr 2022 09:26:44 +0200
Message-Id: <20220405070302.109508656@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070258.802373272@linuxfoundation.org>
References: <20220405070258.802373272@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

commit e316f7179be22912281ce6331d96d7c121fb2b17 upstream.

Commit c7381b012872 ("crypto: akcipher - new verify API for public key
algorithms") changed akcipher_alg::verify to take in both the signature
and the actual hash and do the signature verification, rather than just
return the hash expected by the signature as was the case before.  To do
this, it implemented a hack where the signature and hash are
concatenated with each other in one scatterlist.

Obviously, for this to work correctly, akcipher_alg::verify needs to
correctly extract the two items from the scatterlist it is given.
Unfortunately, it doesn't correctly extract the hash in the case where
the signature is longer than the RSA key size, as it assumes that the
signature's length is equal to the RSA key size.  This causes a prefix
of the hash, or even the entire hash, to be taken from the *signature*.

(Note, the case of a signature longer than the RSA key size should not
be allowed in the first place; a separate patch will fix that.)

It is unclear whether the resulting scheme has any useful security
properties.

Fix this by correctly extracting the hash from the scatterlist.

Fixes: c7381b012872 ("crypto: akcipher - new verify API for public key algorithms")
Cc: <stable@vger.kernel.org> # v5.2+
Reviewed-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 crypto/rsa-pkcs1pad.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/crypto/rsa-pkcs1pad.c
+++ b/crypto/rsa-pkcs1pad.c
@@ -495,7 +495,7 @@ static int pkcs1pad_verify_complete(stru
 			   sg_nents_for_len(req->src,
 					    req->src_len + req->dst_len),
 			   req_ctx->out_buf + ctx->key_size,
-			   req->dst_len, ctx->key_size);
+			   req->dst_len, req->src_len);
 	/* Do the actual verification step. */
 	if (memcmp(req_ctx->out_buf + ctx->key_size, out_buf + pos,
 		   req->dst_len) != 0)