]>
Commit | Line | Data |
---|---|---|
e3f2be6d GKH |
1 | From 767f015ea0b7ab9d60432ff6cd06b664fd71f50f Mon Sep 17 00:00:00 2001 |
2 | From: Eric Biggers <ebiggers@google.com> | |
3 | Date: Tue, 9 Apr 2019 23:46:31 -0700 | |
4 | Subject: crypto: arm/aes-neonbs - don't access already-freed walk.iv | |
5 | ||
6 | From: Eric Biggers <ebiggers@google.com> | |
7 | ||
8 | commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream. | |
9 | ||
10 | If the user-provided IV needs to be aligned to the algorithm's | |
11 | alignmask, then skcipher_walk_virt() copies the IV into a new aligned | |
12 | buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then | |
13 | if the caller unconditionally accesses walk.iv, it's a use-after-free. | |
14 | ||
15 | arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't | |
16 | affected by this despite unconditionally accessing walk.iv. However | |
17 | this is more subtle than desired, and it was actually broken prior to | |
18 | the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes - | |
19 | replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to | |
20 | start checking the return value of skcipher_walk_virt(). | |
21 | ||
22 | Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") | |
23 | Cc: <stable@vger.kernel.org> # v3.13+ | |
24 | Signed-off-by: Eric Biggers <ebiggers@google.com> | |
25 | Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> | |
26 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
27 | ||
28 | ||
29 | --- | |
30 | arch/arm/crypto/aesbs-glue.c | 4 ++++ | |
31 | 1 file changed, 4 insertions(+) | |
32 | ||
33 | --- a/arch/arm/crypto/aesbs-glue.c | |
34 | +++ b/arch/arm/crypto/aesbs-glue.c | |
35 | @@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc | |
36 | ||
37 | blkcipher_walk_init(&walk, dst, src, nbytes); | |
38 | err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); | |
39 | + if (err) | |
40 | + return err; | |
41 | ||
42 | /* generate the initial tweak */ | |
43 | AES_encrypt(walk.iv, walk.iv, &ctx->twkey); | |
44 | @@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc | |
45 | ||
46 | blkcipher_walk_init(&walk, dst, src, nbytes); | |
47 | err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE); | |
48 | + if (err) | |
49 | + return err; | |
50 | ||
51 | /* generate the initial tweak */ | |
52 | AES_encrypt(walk.iv, walk.iv, &ctx->twkey); |