Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4875566pxj; Wed, 12 May 2021 15:24:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxJxhdJPZyjBt8q0FkLMXjQhoWl3/m8epY2sRiUA+CAZoG8mqqBH1t1lfOonM881T7B2UUl X-Received: by 2002:aa7:c7d3:: with SMTP id o19mr31985686eds.142.1620858268699; Wed, 12 May 2021 15:24:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620858268; cv=none; d=google.com; s=arc-20160816; b=sgSw1CCLUFslaC+uYwnynFDyQ7U16dWvYmPsYnh5MfPFAQAYoh9jfS0egIDPQbw56F UHEU2LimA9ir1VcM8oFRlg4Vu7u4jBMIBdGlXZWBjq6M0AthFzceVFPd+II/TKNUwthp Bz0u+nV6KdJLzfoYkB/J9TXJD8RE+IhkQtde5CXBpnx64ezL0i1fuyw6Yy99wrkBxSVV CcuFxn2ZWDIqlRO5rAL/200bueDJTaTAY4UUMGr9XjLgx7X4IcNpU1DuzOvkBV/vbKBv f7UvMPd/PRS1jK666UBAHFqEX+PS/K5Y9UthuoSdlS+3k3No1yijpDVzXtALAja0e2R6 zRGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=D3eJIgdItqTUP2qMFnudnlnPv0M/eA1KecvC1Livn8g=; b=U7WiPBWKnN7cbhOqjCdkiEr4v15P71zZ7ChbbVVvxVBunEUjZ81VndF/nZzB1A2FLK nN4aKlzYoX1W9D/Qc00IC83g7DYadN2buG3IaSssO1N+cqoeKjXRiePkYk/6SHCUHvea B+kOM04s30qRTrKcnh258eul1eLot5uvkiVUI0nL7ciqx3sBU0EbvD2lBoa+oug4Pymf fCzkRx5ok33bMfGMBGcw4CH3UkNlcC381pn1VrJR+ezWHDJmY2owQiRn3gBQM/5OttBl qJrWwA0qe4EeiOaWDJze/rx8dSFbNkqlhCUVuXRADYtPUAcPd/k1TWj9BdzjvLPM4JTG 0SsQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TI6i2pnr; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t12si1192908edc.33.2021.05.12.15.23.22; Wed, 12 May 2021 15:24:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=TI6i2pnr; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231204AbhELWUz (ORCPT + 99 others); Wed, 12 May 2021 18:20:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:49204 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1387602AbhELVZa (ORCPT ); Wed, 12 May 2021 17:25:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1C88E613E6 for ; Wed, 12 May 2021 21:24:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1620854661; bh=dpMpwE/+0xsrNEBWSrB3F2tfcXWYhcQJFd7Iugffe4g=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=TI6i2pnrjixOQ0EjSlyqNi776kSVB26wcmAwfSxkf8IAT8tjTGYETNOmQmVmIOozX uElNWaC2sIgq0uigB5eT9PK8DK5BlntjroQBeTrYDvFZighVUHMzI+pgjcrW6vnRfe zZ7avYbmJc5WDFYGTgU0KarRQRGSapYh6LcQALob12EIRLzIf8ZZJxG5DUpz6kyWZI luOwi9Bh/G6PbEEuKz6M3QEvh1k30qsZvjrcXNbjLRPmyVrNfN23pJozx0+UMq6hu2 2uY2gXVqyEqafogjKgEXn2MURj5cOj6RcEMU2DYvGFde3MC+BkfQL8UZq5ZiBpR7Pc g5gfo45WZU7CQ== Received: by mail-ot1-f54.google.com with SMTP id g15-20020a9d128f0000b02902a7d7a7bb6eso21872159otg.9 for ; Wed, 12 May 2021 14:24:21 -0700 (PDT) X-Gm-Message-State: AOAM530koBdD/2PT2Wk9PgcHo7giVugBPq223w/tGZusQOrHqeaGpJHd StNyiG5JXCUHh5+hLR55I6pbonJMdo8WvmPy9Jg= X-Received: by 2002:a9d:7cd8:: with SMTP id r24mr20523715otn.90.1620854660323; Wed, 12 May 2021 14:24:20 -0700 (PDT) MIME-Version: 1.0 References: <20210512184439.8778-1-ardb@kernel.org> <20210512184439.8778-2-ardb@kernel.org> In-Reply-To: From: Ard Biesheuvel Date: Wed, 12 May 2021 23:24:09 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 1/7] crypto: handle zero sized AEAD inputs correctly To: Eric Biggers Cc: Linux Crypto Mailing List , Linux ARM , Herbert Xu , Will Deacon , Android Kernel Team Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, 12 May 2021 at 22:04, Eric Biggers wrote: > > On Wed, May 12, 2021 at 08:44:33PM +0200, Ard Biesheuvel wrote: > > There are corner cases where skcipher_walk_aead_[en|de]crypt() may be > > invoked with a zero sized input, which is not rejected by the walker > > code, but results in the skcipher_walk structure to not be fully > > initialized. This will leave stale values in its page and buffer > > members, which will be subsequently passed to kfree() or free_page() by > > skcipher_walk_done(), resulting in a crash if those routines fail to > > identify them as in valid inputs. > > > > Fix this by setting page and buffer to NULL even if the size of the > > input is zero. > > > > Signed-off-by: Ard Biesheuvel > > Is this fixing an existing bug, or only a bug that got exposed by this patchset? > It would be helpful to make that clear (and if it fixes an existing bug, include > a Fixes tag). > The CCM change in the last patch uncovers this issue, and I don't think it is likely we would ever hit it anywhere else. > Also, skcipher_walk_virt() doesn't set page and buffer to NULL, as it is > currently expected that skcipher_walk_done() is only called when > walk.nbytes != 0. Is something different for skcipher_walk_aead_[en|de]crypt()? > The difference is that zero sized inputs never make sense for skciphers, but for AEADs, they could occur, even if they are uncommon (the AEAD could have associated data only, and no plain/ciphertext) But in the general case, I would assume that skcipher_walk_done() can be called on a walk that was successfully started with skcipher_walk_virt() without crashing, even if the scatterlist has size zero, so perhaps we should fix that one as well.