Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,USER_AGENT_NEOMUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F5ABC282DE for ; Mon, 8 Apr 2019 06:24:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 37A4920880 for ; Mon, 8 Apr 2019 06:24:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726005AbfDHGX7 (ORCPT ); Mon, 8 Apr 2019 02:23:59 -0400 Received: from orcrist.hmeau.com ([104.223.48.154]:44020 "EHLO deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725871AbfDHGX7 (ORCPT ); Mon, 8 Apr 2019 02:23:59 -0400 Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar) by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian)) id 1hDNhE-0007te-Sz; Mon, 08 Apr 2019 14:23:56 +0800 Received: from herbert by gondobar with local (Exim 4.89) (envelope-from ) id 1hDNhC-0003Ov-W7; Mon, 08 Apr 2019 14:23:55 +0800 Date: Mon, 8 Apr 2019 14:23:54 +0800 From: Herbert Xu To: Eric Biggers Cc: linux-crypto@vger.kernel.org, stable@vger.kernel.org Subject: Re: [RFC/RFT PATCH 04/18] crypto: skcipher - restore default skcipher_walk::iv on error Message-ID: <20190408062354.nfxkxj333ocrs52z@gondor.apana.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190331200428.26597-5-ebiggers@kernel.org> X-Newsgroups: apana.lists.os.linux.cryptoapi Organization: Core User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Eric Biggers wrote: > From: Eric Biggers > > When the user-provided IV buffer is not aligned to the algorithm's > alignmask, skcipher_walk_virt() allocates an aligned buffer and copies > the IV into it. However, skcipher_walk_virt() can fail after that > point, and in this case the buffer will be freed. > > This causes a use-after-free read in callers that read from walk->iv > unconditionally, e.g. the LRW template. For example, this can be > reproduced by trying to encrypt fewer than 16 bytes using "lrw(aes)". This looks like a bug in LRW. Relying on walk->iv to be set to anything after a failed skcipher_walk_virt call is wrong. So we should fix it there instead. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt