21 Nov, 2017

1 commit

• a37b2a1cc   crypto: dh - Fix double free of ctx->p ... Browse Code »

  commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.

  When setting the secret with the software Diffie-Hellman implementation,
  if allocating 'g' failed (e.g. if it was longer than
  MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
  once later when the crypto_kpp tfm was destroyed.

  Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
  paths, as that correctly sets the pointers to NULL.

  KASAN report:

  MPI: mpi too large (32760 bits)
  ==================================================================
  BUG: KASAN: use-after-free in mpi_free+0x131/0x170
  Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367

  CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  Call Trace:
  dump_stack+0xb3/0x10b
  ? mpi_free+0x131/0x170
  print_address_description+0x79/0x2a0
  ? mpi_free+0x131/0x170
  kasan_report+0x236/0x340
  ? akcipher_register_instance+0x90/0x90
  __asan_report_load4_noabort+0x14/0x20
  mpi_free+0x131/0x170
  ? akcipher_register_instance+0x90/0x90
  dh_exit_tfm+0x3d/0x140
  crypto_kpp_exit_tfm+0x52/0x70
  crypto_destroy_tfm+0xb3/0x250
  __keyctl_dh_compute+0x640/0xe90
  ? kasan_slab_free+0x12f/0x180
  ? dh_data_from_key+0x240/0x240
  ? key_create_or_update+0x1ee/0xb20
  ? key_instantiate_and_link+0x440/0x440
  ? lock_contended+0xee0/0xee0
  ? kfree+0xcf/0x210
  ? SyS_add_key+0x268/0x340
  keyctl_dh_compute+0xb3/0xf1
  ? __keyctl_dh_compute+0xe90/0xe90
  ? SyS_add_key+0x26d/0x340
  ? entry_SYSCALL_64_fastpath+0x5/0xbe
  ? trace_hardirqs_on_caller+0x3f4/0x560
  SyS_keyctl+0x72/0x2c0
  entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x43ccf9
  RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
  RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
  RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
  RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
  R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
  R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000

  Allocated by task 367:
  save_stack_trace+0x16/0x20
  kasan_kmalloc+0xeb/0x180
  kmem_cache_alloc_trace+0x114/0x300
  mpi_alloc+0x4b/0x230
  mpi_read_raw_data+0xbe/0x360
  dh_set_secret+0x1dc/0x460
  __keyctl_dh_compute+0x623/0xe90
  keyctl_dh_compute+0xb3/0xf1
  SyS_keyctl+0x72/0x2c0
  entry_SYSCALL_64_fastpath+0x1f/0xbe

  Freed by task 367:
  save_stack_trace+0x16/0x20
  kasan_slab_free+0xab/0x180
  kfree+0xb5/0x210
  mpi_free+0xcb/0x170
  dh_set_secret+0x2d7/0x460
  __keyctl_dh_compute+0x623/0xe90
  keyctl_dh_compute+0xb3/0xf1
  SyS_keyctl+0x72/0x2c0
  entry_SYSCALL_64_fastpath+0x1f/0xbe

  Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
  Signed-off-by: Eric Biggers
  Reviewed-by: Tudor Ambarus
  Signed-off-by: Herbert Xu
  Signed-off-by: Greg Kroah-Hartman

  Eric Biggers

  2017-11-21 16:49:20 +0800  

10 Jun, 2017

3 commits

• 7f6910507   crypto: dh - comply with crypto_kpp_maxsize() ... Browse Code »

  crypto_kpp_maxsize() asks for the output buffer size without
  caring for errors. It allways assume that will be called after
  a valid setkey. Comply with it and return what he wants.

  Signed-off-by: Tudor Ambarus
  Signed-off-by: Herbert Xu

  Tudor-Dan Ambarus

  2017-06-10 12:04:27 +0800  
• ee34e2644   crypto: dh - fix memleak in setkey ... Browse Code »

  setkey can be called multiple times during the existence
  of the transformation object. In case of multiple setkey calls,
  the old key was not freed and we leaked memory.
  Free the old MPI key if any.

  Signed-off-by: Tudor Ambarus
  Signed-off-by: Herbert Xu

  Tudor-Dan Ambarus

  2017-06-10 12:04:26 +0800  
• c0ca1215d   crypto: kpp, (ec)dh - fix typos ... Browse Code »

  While here, add missing argument description (ndigits).

  Signed-off-by: Tudor Ambarus
  Signed-off-by: Herbert Xu

  Tudor-Dan Ambarus

  2017-06-10 12:04:25 +0800  

09 Mar, 2017

1 commit

• 5527dfb6d   crypto: kpp - constify buffer passed to crypto_kpp_set_secret() ... Browse Code »

  Constify the buffer passed to crypto_kpp_set_secret() and
  kpp_alg.set_secret, since it is never modified.

  Signed-off-by: Eric Biggers
  Signed-off-by: Herbert Xu

  Eric Biggers

  2017-03-09 18:34:27 +0800  

13 Nov, 2016

1 commit

• 8edda7d22   crypto: dh - Consistenly return negative error codes ... Browse Code »

  Fix the single instance where a positive EINVAL was returned.

  Signed-off-by: Mat Martineau
  Signed-off-by: Herbert Xu

  Mat Martineau

  2016-11-13 17:45:04 +0800  

01 Jul, 2016

1 commit

• 9b45b7bba   crypto: rsa - Generate fixed-length output ... Browse Code »

  Every implementation of RSA that we have naturally generates
  output with leading zeroes. The one and only user of RSA,
  pkcs1pad wants to have those leading zeroes in place, in fact
  because they are currently absent it has to write those zeroes
  itself.

  So we shouldn't be stripping leading zeroes in the first place.
  In fact this patch makes rsa-generic produce output with fixed
  length so that pkcs1pad does not need to do any extra work.

  This patch also changes DH to use the new interface.

  Signed-off-by: Herbert Xu

  Herbert Xu

  2016-07-01 23:45:18 +0800  

23 Jun, 2016

1 commit

• 802c7f1c8   crypto: dh - Add DH software implementation ... Browse Code »

  * Implement MPI based Diffie-Hellman under kpp API
  * Test provided uses data generad by OpenSSL

  Signed-off-by: Salvatore Benedetto
  Signed-off-by: Herbert Xu

  Salvatore Benedetto

  2016-06-23 18:29:56 +0800