2022-07-26 08:08:53

by Zhang Xiaoxu

[permalink] [raw]
Subject: [PATCH -next] crypto: testmgr - fix oob read when test RSA vectors

The definition of key before coefficient should not add comma.
Otherwise there will be OOB read happened as follow:

BUG: KASAN: global-out-of-bounds in test_akcipher_one+0x1ae/0xb20
Read of size 607 at addr ffffffff99f95ac0 by task cryptomgr_test/198

CPU: 5 PID: 198 Comm: cryptomgr_test Not tainted 5.19.0-rc7-next-20220722-00002-g4628e935ed92-dirty #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x34/0x44
print_report.cold+0x59/0x682
kasan_report+0xa3/0x120
kasan_check_range+0x145/0x1a0
memcpy+0x20/0x60
test_akcipher_one+0x1ae/0xb20
alg_test_akcipher+0x94/0xb0
alg_test.part.0+0x467/0x510
cryptomgr_test+0x36/0x60
kthread+0x165/0x1a0
ret_from_fork+0x1f/0x30
</TASK>

Remove the comma before coefficient.

Fixes: 79e6e2f3f3ff3 ("crypto: testmgr - populate RSA CRT parameters in RSA test vectors")
Signed-off-by: Zhang Xiaoxu <[email protected]>
---
crypto/testmgr.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index dee88510f58d..57da8c8b4574 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -273,7 +273,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
"\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
"\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
"\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"
- "\x02\x41", /* coefficient - integer of 65 bytes */
+ "\x02\x41" /* coefficient - integer of 65 bytes */
"\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
"\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
"\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
@@ -370,7 +370,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
"\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7"
"\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29"
"\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31"
- "\x02\x81\x81", /* coefficient - integer of 129 bytes */
+ "\x02\x81\x81" /* coefficient - integer of 129 bytes */
"\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78"
"\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70"
"\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77"
--
2.31.1


2022-07-26 14:32:34

by Ignat Korchagin

[permalink] [raw]
Subject: Re: [PATCH -next] crypto: testmgr - fix oob read when test RSA vectors

On Tue, Jul 26, 2022 at 9:01 AM Zhang Xiaoxu <[email protected]> wrote:
>
> The definition of key before coefficient should not add comma.
> Otherwise there will be OOB read happened as follow:
>
> BUG: KASAN: global-out-of-bounds in test_akcipher_one+0x1ae/0xb20
> Read of size 607 at addr ffffffff99f95ac0 by task cryptomgr_test/198
>
> CPU: 5 PID: 198 Comm: cryptomgr_test Not tainted 5.19.0-rc7-next-20220722-00002-g4628e935ed92-dirty #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x34/0x44
> print_report.cold+0x59/0x682
> kasan_report+0xa3/0x120
> kasan_check_range+0x145/0x1a0
> memcpy+0x20/0x60
> test_akcipher_one+0x1ae/0xb20
> alg_test_akcipher+0x94/0xb0
> alg_test.part.0+0x467/0x510
> cryptomgr_test+0x36/0x60
> kthread+0x165/0x1a0
> ret_from_fork+0x1f/0x30
> </TASK>
>
> Remove the comma before coefficient.

Thanks for the report, but it was already fixed in commit 9d2bb9a7
("crypto: testmgr - some more fixes to RSA test vectors
"), which is already on the latest linux-next.

> Fixes: 79e6e2f3f3ff3 ("crypto: testmgr - populate RSA CRT parameters in RSA test vectors")
> Signed-off-by: Zhang Xiaoxu <[email protected]>
> ---
> crypto/testmgr.h | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/crypto/testmgr.h b/crypto/testmgr.h
> index dee88510f58d..57da8c8b4574 100644
> --- a/crypto/testmgr.h
> +++ b/crypto/testmgr.h
> @@ -273,7 +273,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
> "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
> "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
> "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"
> - "\x02\x41", /* coefficient - integer of 65 bytes */
> + "\x02\x41" /* coefficient - integer of 65 bytes */
> "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
> "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
> "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
> @@ -370,7 +370,7 @@ static const struct akcipher_testvec rsa_tv_template[] = {
> "\x6A\x37\x3B\x86\x6C\x51\x37\x5B\x1D\x79\xF2\xA3\x43\x10\xC6\xA7"
> "\x21\x79\x6D\xF9\xE9\x04\x6A\xE8\x32\xFF\xAE\xFD\x1C\x7B\x8C\x29"
> "\x13\xA3\x0C\xB2\xAD\xEC\x6C\x0F\x8D\x27\x12\x7B\x48\xB2\xDB\x31"
> - "\x02\x81\x81", /* coefficient - integer of 129 bytes */
> + "\x02\x81\x81" /* coefficient - integer of 129 bytes */
> "\x00\x8D\x1B\x05\xCA\x24\x1F\x0C\x53\x19\x52\x74\x63\x21\xFA\x78"
> "\x46\x79\xAF\x5C\xDE\x30\xA4\x6C\x20\x38\xE6\x97\x39\xB8\x7A\x70"
> "\x0D\x8B\x6C\x6D\x13\x74\xD5\x1C\xDE\xA9\xF4\x60\x37\xFE\x68\x77"
> --
> 2.31.1
>

Regards,
Ignat