setkey_unaligned() commited in ca7c39385ce1a7b44894a4b225a4608624e90730
overwrites unallocated memory in the following memset() because I used the
wrong buffer length.
Signed-off-by: Sebastian Siewior <[email protected]>
--- a/crypto/ablkcipher.c
+++ b/crypto/ablkcipher.c
@@ -35,7 +35,7 @@ static int setkey_unaligned(struct crypt
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(alignbuffer, key, keylen);
ret = cipher->setkey(tfm, alignbuffer, keylen);
- memset(alignbuffer, 0, absize);
+ memset(alignbuffer, 0, keylen);
kfree(buffer);
return ret;
}
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
@@ -352,7 +352,7 @@ static int setkey_unaligned(struct crypt
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(alignbuffer, key, keylen);
ret = cipher->setkey(tfm, alignbuffer, keylen);
- memset(alignbuffer, 0, absize);
+ memset(alignbuffer, 0, keylen);
kfree(buffer);
return ret;
}
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -36,7 +36,7 @@ static int setkey_unaligned(struct crypt
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(alignbuffer, key, keylen);
ret = cia->cia_setkey(tfm, alignbuffer, keylen);
- memset(alignbuffer, 0, absize);
+ memset(alignbuffer, 0, keylen);
kfree(buffer);
return ret;
--- a/crypto/hash.c
+++ b/crypto/hash.c
@@ -40,7 +40,7 @@ static int hash_setkey_unaligned(struct
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
memcpy(alignbuffer, key, keylen);
ret = alg->setkey(crt, alignbuffer, keylen);
- memset(alignbuffer, 0, absize);
+ memset(alignbuffer, 0, keylen);
kfree(buffer);
return ret;
}
* Sebastian Siewior | 2007-08-02 14:57:43 [+0200]:
>setkey_unaligned() commited in ca7c39385ce1a7b44894a4b225a4608624e90730
>overwrites unallocated memory in the following memset() because I used the
>wrong buffer length.
Herbert, I am really sorry for introducing new bugs.
Sebastian
On Thu, Aug 02, 2007 at 02:57:43PM +0200, Sebastian Siewior wrote:
> setkey_unaligned() commited in ca7c39385ce1a7b44894a4b225a4608624e90730
> overwrites unallocated memory in the following memset() because I used the
> wrong buffer length.
Good catch. Thanks!
We don't have any in-tree users that will trigger this right
now do we?
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2007-08-03 20:34:25 [+0800]:
>On Thu, Aug 02, 2007 at 02:57:43PM +0200, Sebastian Siewior wrote:
>> setkey_unaligned() commited in ca7c39385ce1a7b44894a4b225a4608624e90730
>> overwrites unallocated memory in the following memset() because I used the
>> wrong buffer length.
>
>Good catch. Thanks!
>
>We don't have any in-tree users that will trigger this right
>now do we?
Why not? This is used by _any_ cipher/hash/... user in tree. Most of
algos specify an alignment of 3 what is very likely to become. I
checked IPsec and they allocated keys with an alignment of 7.
padlock-aes specifies an alignment of 15 so there is a 50-50 chance that
it will go well :)
I don't know if you count this as user, but tcrypt.c has an alignment of
3 and the tgr hash needs 7.
>Cheers,
Cheers,
Sebastian
On Fri, Aug 03, 2007 at 03:26:28PM +0200, Sebastian Siewior wrote:
>
> Why not? This is used by _any_ cipher/hash/... user in tree. Most of
> algos specify an alignment of 3 what is very likely to become. I
> checked IPsec and they allocated keys with an alignment of 7.
> padlock-aes specifies an alignment of 15 so there is a 50-50 chance that
> it will go well :)
> I don't know if you count this as user, but tcrypt.c has an alignment of
> 3 and the tgr hash needs 7.
Thanks for checking.
I'll get this pushed into stable too.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
* Herbert Xu | 2007-08-03 21:43:02 [+0800]:
>On Fri, Aug 03, 2007 at 03:26:28PM +0200, Sebastian Siewior wrote:
>>
>> Why not? This is used by _any_ cipher/hash/... user in tree. Most of
>> algos specify an alignment of 3 what is very likely to become. I
>> checked IPsec and they allocated keys with an alignment of 7.
>> padlock-aes specifies an alignment of 15 so there is a 50-50 chance that
>> it will go well :)
>> I don't know if you count this as user, but tcrypt.c has an alignment of
>> 3 and the tgr hash needs 7.
>
>Thanks for checking.
np
>I'll get this pushed into stable too.
This bug is only available in upcomming v2.6.23, isn't it?
>Cheers,
Sebastian
On Fri, Aug 03, 2007 at 03:58:56PM +0200, Sebastian Siewior wrote:
>
> >I'll get this pushed into stable too.
>
> This bug is only available in upcomming v2.6.23, isn't it?
Indeed. Excellent, it's only needed for the 2.6.23 tree.
Thanks,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt